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Abstract 

Despite  the  wide  array  of  frameworks  proposed  for  the  formal  specification  and  analysis  of  privacy 
laws,  there  has  been  comparatively  little  work  on  expressing  large  fragments  of  actual  privacy  laws 
in  these  frameworks.  We  attempt  to  bridge  this  gap  by  presenting  what  we  believe  to  be  the  most 
complete  logical  formalizations  of  the  Gramm-Leach-Bliley  Act  (GLBA)  and  the  Health  Insurance 
Portability  and  Accountability  Act  (HIPAA)  to  date. 

Specifically,  we  formalize  §§6802  and  6803  of  GLBA  and  §§164.502,  164.506,  164.508,  164.510, 
164.512,  164.514,  and  164.524  of  HIPAA.  The  remaining  sections  of  both  laws  are  not  stated  in 
terms  of  operational  requirements,  and  therefore  cannot  be  formalized  in  our  model. 

Along  the  way,  we  also  give  a  novel  extension  of  an  existing  privacy  logic  with  real-time  features 
and  fixed  point  operators;  these  provide  the  expressive  power  necessary  to  capture  legal  clauses 
found  in  GLBA  and  HIPAA  involving  bounded-time  obligations  and  reuse  of  information. 
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Chapter  1 

Introduction 


With  advances  in  communication  and  data  processing,  especially  digital  forms,  over  the  last  several 
decades,  there  has  been  an  explosion  in  the  amount  and  detail  of  information  maintained  by  orga¬ 
nizations  about  clients,  patients,  and  other  individuals.  Such  information  is  incredibly  valuable  to 
both  organizations  and  individuals:  organizations  can  operate  more  efficiently  and  provide  higher 
quality  services  to  individuals.  At  the  same  time,  these  benefits  must  be  balanced  against  the 
individuals’  right  to  privacy. 

In  response,  democratic  governments  have  instituted  numerous  laws  to  regulate  the  collection 
and  use  of  personal  information.  Example  privacy  laws  of  the  United  States  of  America  include  the 
Gramm-Leach-Bliley  Act  (GLBA)  [US  99]  for  financial  privacy  and  the  Health  Insurance  Portability 
and  Accountability  Act  of  1996  (HIPAA)  [US  02]  for  privacy  in  the  healthcare  context. 

Even  after  a  cursory  glance  through  these  laws,  it  is  apparent  that  the  legal  language  is  much 
too  dense  and  intricate  for  the  laws  to  serve  as  a  day-to-day  guide  to  managers  of  the  regulated 
organizations.  Managers  (and  the  general  public  too)  are  instead  interested  in  answers  to  concrete, 
practical  questions,  such  as  “Is  the  organizational  privacy  policy  of  Hospital  X  consistent  with 
HIPAA?”  and  “Does  GLBA  permit  Bank  Y  to  disclose  Bob’s  account  information  to  Charlie?” 

Recently,  in  efforts  including  role-based  access  control  (RBAC)  [Cra03,  JSSS01,  LMW02],  the 
Extensible  Access  Control  Markup  Language  (XACML)  [ANP+04],  the  Enterprise  Privacy  Autho¬ 
rization  Language  (EPAL)  [BKBS04,  BPS03],  the  Platform  for  Privacy  Preferences  (P3P)  [RC99, 
BCK03,  ACR99],  and  the  Logic  of  Privacy  and  Utility  (LPU)  [BDMN06,  BDMS07,  Bar08],  re¬ 
searchers  have  begun  to  attack  the  problem  of  formally  expressing  the  content  of  both  organiza¬ 
tional  privacy  policies  and  privacy  laws.  The  hope  is  that  these  languages  and  logics  will  permit 
the  construction  of  tools  that  can  directly  answer  the  kinds  of  questions  that  arise  in  day-to-day 
business  operations. 

Despite  the  wide  array  of  various  privacy  languages  and  logics,  to  the  best  of  our  knowledge, 
there  has  been  comparatively  little  work  on  expressing  large  fragments  of  actual  privacy  laws  in  these 
frameworks1;  instead,  the  encodings  have  been  limited  to  small  proof-of-concept  examples.  But  this 
is  a  significant  deficiency  if  the  program  of  obtaining  practical  benefits  from  formal  specification 
of  privacy  laws  is  to  succeed.  We  must  be  confident  that  the  techniques  invented  for  the  small 
examples  scale  to  full  privacy  laws. 

1The  exceptions  are  work  by  Breaux  and  Anton  on  a  classification  of  all  HIPAA  clauses  [BA08],  a  Datalog 
formalization  of  §§164.502,  164.506,  and  164.510  of  HIPAA  by  Lam  et  al.  [LMS09],  and  an  access  control-based 
encoding  of  §164.506  of  HIPAA  by  May  et  al.  [MGL06].  See  Chapter  5  for  more  details. 
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This  work  is  intended  to  help  bridge  this  gap.  In  Chapters  3  and  4,  we  give  what  we  believe  is 
the  most  complete  logical  formalization  of  the  privacy-relevant  portions  of  GLBA  and  HIPAA  to 
date.  Specifically,  we  formalize  §§6802  and  6803  of  GLBA  and  §§164.502,  164.506,  164.508,  164.510, 
164.512,  164.514,  and  164.524  of  HIPAA  in  a  novel  logic,  which  we  call  PrivacyLFP,  based  on  the 
Logic  of  Privacy  and  Utility  [BDMN06,  BDMS07,  Bar08].  As  discussed  in  Chapter  2,  only  three 
significant  modifications  of  LPU  were  needed  to  enable  it  to  scale  to  this  level  of  formalization. 

We  do  not  formalize  the  remaining  sections  of  GLBA  and  HIPAA,  not  due  to  lack  of  time 
or  energy,  but  because  those  sections  are  inherently  incompatible  with  logical  formalization  for 
operational  purposes.  Typically,  this  is  because  the  section  is  not  phrased  operationally.  For 
example,  §6801  of  GLBA  abstractly  states  that 

[E]ach  agency  or  authority  [...]  shall  establish  appropriate  standards  for  the  finan¬ 
cial  institutions  [...]  to  insure  the  security  and  confidentiality  of  customer  records  and 
information, 

without  providing  implementation  specifications  for  this  policy.  Similarly,  §  164.514(e)  (4)  (iii)  of 
HIPAA  defines  non-compliance  but  does  not  regulate  specific  transmissions  of  protected  health 
information: 

A  covered  entity  is  not  in  compliance  [...]  if  the  covered  entity  knew  of  a  pattern  of 
activity  or  practice  of  the  limited  data  set  recipient  that  constituted  a  material  breach 
or  violation  of  the  data  use  agreement. 

Contributions.  The  contributions  of  this  work  are  two-fold. 

First,  to  the  best  of  our  knowledge,  we  present  the  most  complete  formalization  of  GLBA  and 
HIPAA  in  a  privacy  logic  or  language  to  date.  These  kind  of  large-scale  case  studies  are  crucial  to 
justify  the  viability  of  formal  specification  as  a  means  of  obtaining  practical  benefits.  While  more 
privacy  laws  deserve  this  kind  of  detailed  specification  if  we  are  to  achieve  broad  applicability,  we 
believe  that  our  efforts  represent  a  solid  first  step. 

Second,  we  present  a  logic,  PrivacyLFP,  that  significantly  extends  the  expressive  power  of  (the 
privacy  fragment  of)  LPU.  Most  importantly,  we  give  a  novel  synthesis  of  ideas  from  fixed  point 
and  privacy  logics,  showing  that  such  a  combination  is  both  coherent  and  useful.  A  sister  project 
on  auditing  and  accountability  [DGJ+10]  has  demonstrated  that  fixed  points,  especially  greatest 
ones,  can  be  present  in  those  analyses,  as  well:  we  are  not  using  a  construct  in  specification  that  is 
too  exotic  for  operational  applications. 

Other  extensions  to  LPU  include  1.  disclosure  purposes,  since  many  laws  allow  or  deny  disclo¬ 
sures  based  on  purpose;  2.  explicit  real-time  features,  since  lawmakers  often  impose  concrete  time 
limits,  such  as  “within  30  days;”  and  3.  a  distinction  between  acting  in  and  belonging  to  a  role, 
to  express  clauses  that  prescribe  privacy  actions  that  depend  on  an  individual’s  “citizenship”  in  a 
role. 

Outline  of  the  Report.  In  Chapter  2,  we  motivate  PrivacyLFP’s  extensions  to  (the  privacy 
fragment  of)  LPU,  describe  the  syntax  and  semantics  of  the  core  first-order  fixed  point  logic, 
present  the  assumptions  we  make  about  the  underlying  first-order  structure,  and  give  convenient 
syntactic  sugar  for  concisely  representing  standard  temporal  operators.  In  Chapters  3  and  4,  we 
give  our  formalizations  of  the  privacy-relevant  portions  of  the  Gramm-Leach-Bliley  Act  and  the 
Health  Insurance  Portability  and  Accountability  Act.  In  Chapter  5,  we  overview  the  related  work. 
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Chapter  2 

PrivacyLFP:  A  Logic  of  Privacy  with 
Fixed  Points 


As  stated,  our  primary  goal  in  this  work  is  to  extend  techniques  developed  in  other  privacy  languages 
and  logics  so  that  the  privacy-relevant  portions  of  the  Gramm-Leach-Bliley  Act  (GLBA)  [US  99]  and 
the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  [US  02]  may  be  completely  for¬ 
malized.  With  an  eye  toward  eventual  auditing  and  assigning  blame  based  on  agents’  irresponsibil¬ 
ity  [DGJ+10]  in  the  manner  of  the  Logic  of  Privacy  and  Utility  (LPU)  [BDMN06,  BDMS07,  Bar08], 
we  choose  to  use  LPU  as  a  starting  point. 

Unfortunately,  however,  LPU  is  not  sufficiently  expressive  to  permit  full  formalization  of  GLBA 
and  HIPAA.  In  particular,  we  require  constructs  for  expressing  purposes,  real-time  features,  and 
fixed  points.  Therefore,  we  propose  a  new  logic,  PrivacyLFP,  based  on  LPU,  but  with  these  new 
constructs.  Just  as  LPU  is  a  particular  signature  of  ATL*  [AHK02],  PrivacyLFP  is  a  particular 
signature  of  the  fixed  point  logic  LFP  [Ras02,  BS06]. 

Before  describing  these  extensions  in  detail,  we  motivate  them  using  three  concrete  examples 
from  HIPAA  and  GLBA. 

2.1  Background  on  LPU 

Being  based  on  contextual  integrity  model  [Nis04],  a  philosophical  framework  of  privacy  centered 
around  norms  of  transmission,  LPU’s  fundamental  concept  is  that  of  the  positive  and  negative 
norms  of  a  given  privacy  regulation. 

Positive  norms,  ,  state  that  communication  may  occur  if  a  condition  is  satisfied.  For  example, 
a  positive  norm  might  be  that  protected  health  information  may  be  sent  if  the  recipient  keeps  that 
information  confidential.  In  this  way,  the  positive  norms  capture  the  permitting,  or  “allow” ,  clauses 
of  the  regulation.  On  the  other  hand,  negative  norms,  tp~ ,  state  that  communication  may  occur 
only  if  a  condition  is  satisfied.  For  example,  a  negative  norm  might  be  that  protected  health 
information  may  be  sent  only  if  the  reciepient  keeps  that  information  confidential.  In  a  sense,  the 
negative  norms  capture  the  denying  clauses  of  the  regulation. 

To  respect  the  if-only  if  duality  of  positive  and  negative  norms,  LPU  requires  that  one  of  the 
positive  norms  and  all  of  the  negative  norms  are  satisfied  when  a  disclosure  occurs.  Thus,  to  check 
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the  compliance  of  a  trace,  a,  of  send  actions  against  a  privacy  law  in  LPU,  one  essentially  checks: 

a  |=  □Vpi,p2,m.send(pi,p2,m)  D  \/  <pf  A  /\% 

i  i 

where  the  pfs  capture  the  permitting  clauses  of  the  law  and  the  ipfs  capture  the  denying  clauses 
of  the  law. 

Also,  in  introducing  LPU,  Barth  et  al.  give  a  syntactic  characterization  of  positive  and  negative 
norms,  which  is  essentially: 

positive  norm  :  6  A  ip 

negative  norm  (p f :  6  D  ip 

where  6  is  a  formula  that  constrains  the  roles  of  the  sender,  recipient,  subject,  and  message  contents, 
and  ip  is  a  temporal  constraint  formalizing  past  and  future  obligations.  It  may  be  useful  to  adopt 
the  slogan  “positive  norms  as  conjunction,  negative  norms  as  implication”  to  further  appreciate 
the  duality  of  the  two  types  of  norms. 

2.2  Motivating  Examples 

2.2.1  Purposes 

In  addition  to  using  the  disclosure’s  contents,  privacy  laws  often  consider  a  disclosure’s  purpose 
when  determining  whether  it  should  be  allowed  or  denied.  For  example,  §164. 506(c)(1)  of  HIPAA 
states: 


A  covered  entity  may  use  or  disclose  protected  health  information  for  its  own  treat¬ 
ment,  payment,  or  health  care  operations. 

Although  the  word  “purpose”  is  not  found  in  this  clause,  the  intent  is  clearly  to  allow  disclosures 
which  have  the  purpose  of  furthering  treatment,  payment,  or  health  care  operations.  Any  formal¬ 
ization  of  this  clause  must  somehow  incorporate  a  disclosure’s  purpose  so  that  it  can  be  checked 
against  these  three  permitted  classes. 

Unfortunately,  LPU  ignores  disclosure  purposes.  To  remedy  this,  we  will  extend  LPU  with  a 
new  sort  purp  of  purposes.  Purposes  will  also  be  equipped  with  a  partial  order  that  models 
purposes’  inherent  subtype  structure.  For  example,  administer-blood-test  treatment  because 
the  purpose  of  administering  a  blood  test  is  a  particular  kind  of  treatment  purpose. 

Given  appropriate  constants  and  the  atomic  proposition  (ui  U2),  which  holds  when  u\  is  a 
subpurpose  of  112,  we  can  express  §164. 506(c)(1)  as: 

^.soeci  —  activerole(pi,  covered- entity)  A 
(t  £7-  phi )  A 
((u  &u  treatment  (pi))  V 
( u  payment  (pi))  V 

( u  healthcare- operations  (pi))) 
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2.2.2  Real-Time 


Being  based  on  the  temporal  logic  LTL  [MP95],  LPU  is  squarely  in  the  philosophical  tradition  of 
being  concerned  solely  with  the  relative  order  of  events,  and  not  the  wall-clock  time  that  separates 
them.  We  have  found  that  this  abstraction  perfectly  suits  many  clauses  in  privacy  laws.  Unfortu¬ 
nately,  however,  this  abstraction  is  at  odds  with  other  clauses;  legislators  sometimes  wish  to  impose 
specific  time  limits,  such  as  “within  30  days”  or  “annually”. 

For  example,  §6803(a)  of  GLBA  states  that: 

At  the  time  of  establishing  a  customer  relationship  with  a  consumer  and  not  less 
than  annually  during  the  continuation  of  such  relationship,  a  financial  institution  shall 
provide  a  clear  and  conspicuous  disclosure  to  such  consumer  [...],  of  such  financial 
institution’s  policies  and  practices  with  respect  to  [disclosing  nonpublic  personal  infor¬ 
mation J. 

Clearly,  we  will  need  real-time  features  to  be  able  to  express  this  clause,  since  there  is  no  notion  of 
a  calendar  year  in  LTL  (and,  consequently,  LPU). 

For  these  features,  we  borrow  ideas  from  Alur  and  Henzinger’s  timed  propositional  temporal 
logic  (TPTL)  [AH94],  Specifically,  as  in  TPTL,  we  assign  a  wall-clock  time  to  each  state.  These 
times  must  be  nondecreasing  with  respect  to  the  order  of  states  in  the  trace.  We  also  borrow  the 
freeze  quantifier  fx.cp  which  binds  x  in  <f  to  the  current  state’s  time. 

Using  these  ideas,  if  given  appropriate  beginrole  and  endrole  predicates,  we  might  express 
§6803(a)  of  GLBA  as: 

G  \/q,  r,  pi .  beginrole^,  r)  A 

(r  =  customer  (pi))  D 

^6803a 

and 

303a  -  (4^-  Oiiv-  (y  =  x)  A 

3m”.  send(pi,  q,  m”)  A 

is- annual- notice {m” , p\ ,  q)))  A 
{(lx-  O  (I?/-  (V  <  x  +  365)  A 

((3m”.  send(pi,  q,  m")  A 

is-annual-notice(m//,pi,  q))  V 
endrole(g,  customer  (pi)))))  W 
endrole(g,  customer  (pi))) 

The  freeze  quantifiers,  specifically  the  fragment  |.x.  K^(]rV-  (y  <  x  +  365)  A  ,  crucially  ensure  that, 
in  every  state,  there  exists  a  state  occurring  no  more  than  365  days  later  in  which  an  annual  notice 
is  sent. 

In  the  interest  of  full  disclosure,  we  wish  to  admit  here  that  our  PrivacyLFP  logic  will  not 
truly  be  a  temporal  logic  or  literally  include  freeze  quantifiers.  Instead,  PrivacyLFP  is  the  fixed 
point  logic  analogue  of  the  first-order  logic  obtained  by  the  standard  translation  of  a  modal  logic  to 
first-order  logic:  states  and  times  will  be  characterized  using  a  particular  first-order  structure.  In 
this  way,  the  freeze  quantifier  and  other  temporal  operators  are  but  (very)  useful  syntactic  sugar 
for  propositions  in  our  first-order  logic.  We  return  to  this  point  in  Section  2.3.3. 
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2.2.3  Fixed  Points 


As  overviewed  in  Section  2.1,  to  check  the  compliance  of  a  trace,  a,  of  send  actions  against  a  privacy 
law,  one  essentially  checks: 

a  |=  \J\/pi,p2,m.send(pi,p2,m)  A  /\<pf 

i  i 

Although  not  performed  in  any  prior  work  on  LPU,  for  narrative  purposes,  suppose  that  we 
define  the  proposition  maysend(pi,p2i  fn)  as  a  macro: 

maysend  (pi,  p2,  m)  =  \J  ipf  /\  f\ 

i  i 


and  instead  check: 


a  |=  \ZNpuV2i  m-  send(pi,p2j  m)  D  maysend  (pi,p2,  m) 

At  this  point,  we  have  not  made  any  fundamental  changes:  the  body  of  the  macro  can  just  be 
substituted  in  for  maysend  (pi,p2,  m). 

In  many  cases,  it  works  well  to  follow  this  approach  of  simply  taking  maysend  (pi,p25 m)  as  a 
macro  for  the  conditions  under  which  the  law  allows  a  disclosure  to  occur.  That  is,  it  works  well 
until  a  clause  refers  recursively  to  those  conditions.  For  example,  consider  §6802(c)  of  GLBA,  which 
places  limits  on  the  reuse  of  information: 

Except  as  otherwise  provided  in  this  subchapter,  a  nonaffiliated  third  party  that  re¬ 
ceives  from  a  financial  institution  nonpublic  personal  information  under  this  section 
shall  not,  directly  or  through  an  affiliate  of  such  receiving  third  party,  disclose  such  in¬ 
formation  to  any  other  person  that  is  a  nonaffiliated  third  party  of  both  the  financial 
institution  and  such  receiving  third  party,  unless  such  disclosure  would  be  lawful  if  made 
directly  to  such  other  person  by  the  financial  institution. 

Roughly,  we  would  like  to  express  this  clause  as  something  like: 

^ 6802c  —  Vp7.  -,activerole(pi,  affiliate (p7))  A 
-iactiverole(p2,  affiliate  (p1))  A 
-■activerole(p2,  affiliate  (pi))  A 
<$>(send(p7,pi,  m)  A 

activerole(p7,  institution ))  D 
<3>  maysend  (p7,  pi,  m) 

However,  if  we  define  maysend  as  a  macro,  then  this  formalization  would  not  even  be  syntactically 
well-formed.  The  natural  idea  is  to  generalize  the  definition  of  maysend  as  a  macro  to  a  fixed 
point  definition,  so  that  this  formalization  is  at  least  syntactically  well-formed.  Of  course,  doing  so 
requires  a  significant  extension  to  LPU,  since  fixed  point  operators  are  not  present  in  that  logic. 

(At  this  point,  we  would  like  to  note  that  we  are  significantly  overstating  the  obviousness  of 
this  generalization.  Of  course,  once  the  positive  and  negative  norms  are  factored  out  as  a  maysend 
macro,  generalization  from  a  macro  to  a  fixed  point  is  indeed  a  natural  step;  but  realizing  that  this 
factoring  is  possible  and  conceptually  useful  was  a  key  turning  point  in  our  work.) 


The  remaining  question  is  which  fixed  point  operator  is  semantically  correct  for  this  clause: 
should  it  be  the  least  fixed  point,  p,  the  greatest  fixed  point,  u,  or  something  else  altogether? 
Intuitively,  we  claim  that  the  greatest  fixed  point  is  the  correct  interpretation  since  we  do  not  want 
to  impose  any  constraints  beyond  those  required  by  the  law.  Stated  differently,  we  want  to  allow 
everything  that  is  not  explicitly  denied  by  the  law. 

As  a  result,  we  arrive  at  the  following  general  top-level  formula: 

G  Vpi ,P2,rn.  send(pi  ,p2,rn)  A 

(z/maysend (p'^p'^m').  V;  pf  A  A i  <A“ )  ( Pi,P2 ,  m) 

(Note  that,  for  the  sake  of  brevity,  we  have  replaced  a  |=  □  with  the  equivalent  G  modality, 
meaning  “in  all  states”.)  Although  it  is  not  necessary  for  our  motivating  example,  one  can  further 
generalize  this  formula  to  include  a  least  fixed  point  over  the  pf  s: 

G  Vpi,p2,m.send(pi,p2,rn)  A 

(z/maysend {p'^p'^m').  {pX{p'[,p'^m'')-  Vi  vf)  (Ab  An  m')  A 

KilPi)(PUP2,rn) 

This  reveals  an  elegant  duality  between  the  positive  and  negative  norms.  For  positive  norms,  a 
least  fixed  point  is  used  because  we  want  to  permit  no  more  disclosures  than  the  law  does;  for 
negative  norms,  a  greatest  fixed  point  is  used  because  we  want  to  be  no  more  restrictive  than  the 
law  is. 

2.3  PrivacyLFP  Logic 

Having  motivated  our  extensions  to  LPU,  we  now  turn  to  a  formal  description  of  our  PrivacyLFP- 
logic.  Its  core  is  Least  Fixed  Point  logic  (LFP)  [BS06,  Ras02],  which  is  a  first-order  logic  with  least 
and  greatest  fixed  point  operators,  and  is  described  in  Section  2.3.1.  In  Section  2.3.2,  we  detail  the 
particulars  of  the  first-order  structure  that  we  assume  for  PrivacyLFP.  Finally,  in  Section  2.3.3,  we 
give  convenient  syntactic  sugar  for  temporal  operators,  including  the  freeze  quantifier. 

2.3.1  Syntax  and  Semantics  of  Core  Logic 
Syntax 

Terms  t  come  from  a  collection  of  domains  Vs  (carrier  sets),  indexed  by  sorts  s,  and  may  mention 
variables  x  and  y.  Predicate  symbols  P6?  and  predicate  variables  X  £  X  represent  respectively 
known  relations  over  terms  and  unknown  relations  (of  known  arities)  over  terms.  Formulas,  p,  (p, 
and  ip,  have  the  following  syntax. 


fAA  ■■=  Pfy  I  X{t)  I  T  I  -up  |  p  A  ip  |  3x:s.p 
|  (pX,x-  |  {yX,x.  AKA 

As  is  typical,  we  can  define  falsehood  _L  as  — iT,  the  disjunction  pVip  as  — ■( — i<yp A—>ip),  the  implication 
p  A  pj  as  -i p  V  ip,  and  the  universal  quantification  Vx:s.p  as  —3x:s.—<p. 

In  other  words,  LFP  is  an  extension  of  first-order  logic  with  the  least  fixed-point  operator 
(pX(x).p)(t)  and  the  greatest  fixed-point  operator  (uX(x).p)(t).  The  former  defines  an  implicit 
predicate  X  as  the  least  solution  of  the  equation  X(x)  =  p  and  checks  that  the  tuple  of  terms  t 
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satisfies  the  predicate  (i.e.,  it  lies  in  the  least  solution).  Both  X  and  x  are  bound  in  p  and  may  be 
tacitly  a-renamed.  The  greatest  fixed-point  operator  is  similar,  except  that  it  defines  the  predicate 
as  the  greatest  solution  of  the  same  equation.  In  order  to  ensure  that  the  least  and  greatest  solutions 
exist,  any  occurrences  of  X  in  p  must  be  under  an  even  number  of  negations. 


Semantics 


The  semantics  of  LFP  are  based  on  those  of  first-order  logic,  with  provision  for  the  fixed-point 
operators.  Let  T>s  be  a  collection  of  algebras,  indexed  by  sorts,  matching  the  signature  of  the  terms 
and  predicates  of  the  logic.  Let  ft  ]0  denote  the  interpretation  of  term  f  under  substitution  9  for  its 
variables  and  some  implicit  interpretation  of  function  symbols  which  respects  their  sorts.  Let  [t]e 
is  its  component-wise  lifting  to  tuples.  Let  X  denote  a  map  from  V  U  X  to  relations  of  respective 
arities  over  the  domains  for  the  corresponding  sorts  of  arguments.  The  semantics  of  a  formula  p 
are  captured  by  the  relation  9;X  \=  p,  defined  by  induction  on  p  using  standard  rules  as  follows: 


9-X 

1=  P® 

iff 

[*T 

GX(P) 

9;X 

1=  *(*) 

iff 

[<T 

e  J(X) 

9-X 

1=  T 

always 

9-X 

h  ->p 

iff 

not  9;X  \=  p 

9-X 

\=  p  A  ijj 

iff 

9-X  \ 

=  p  and  9]X  \=  i/j 

9-,X 

=  z \x:s.p 

iff 

9[x  i->-  d\;I  =  p  for  some  d  £DS 

9-X 

|=  Ox,  x. 

<P)$ 

iff 

Itf 

e  tiFz,eJ.(P) 

9-X 

=  ox,  x. 

¥>)(*) 

iff 

Itf 

G  vF££(p) 

two  clauses, 

Fxf(F)  : 

®r(a; 

)  — >  2^65-  is  the  function  that 

tuples,  each  with  \x\  components,  to  {d  \  9[x  e->-  d];X[X  i-)-  S\  |=  p},  assuming  that  T  is  a  sort 
assignment  for  x.  This  is  a  monotone  map  because  of  the  constraint  that  every  occurrence  of  X 
in  p  be  under  an  even  number  of  negations.  So,  its  greatest  and  least  fixed  points,  vF^^{p)  and 

fiFj  (p) ,  in  the  lattice  ‘2n.xea'Dv(x)  exist  by  the  Knaster-Tarski  theorem  [Tar55]. 


2.3.2  First-Order  Structure 

At  this  point,  we  have  a  generic  first-order  logic  with  least  and  greatest  fixed  point  operators. 
However,  it  cannot  currently  support  privacy  applications  since  the  first-order  structure  is  left 
wholly  unspecified.  In  response,  we  now  provide  details  of  the  first-order  structure  that  we  assume 
for  Privacy  LFP. 

Much  of  this  development  closely  follows  that  of  LPU  [BDMN06,  BDMS07,  Bar08];  readers 
familiar  with  that  work  may  choose  to  skim  this  section,  but  should  note  the  addition  of  purposes 
and  actions  for  beginning  and  ending  roles. 


Data  Model 

Principals.  We  assume  a  sort  prin  of  principals  with  an  associated  carrier  set  V . 
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Raw  Data  and  Attributes.  To  model  the  raw  data  over  which  privacy  laws  impose  flow  re¬ 
strictions,  we  introduce  a  sort  data  and  an  associated  carrier  set  V.  Intuitively,  the  raw  data  is 
unstructured  and  may  even  be  free  text.  For  this  reason,  we  do  not  introduce  constructors  for  or 
operators  on  sort  data.  We  should  note  that  our  notion  of  raw  data  corresponds  to  that  of  messages 
in  LPU;  we  reserve  the  term  message  for  our  extensible  data  type  built  on  top  of  raw  data  (see 
below),  which  is  not  found  in  LPU. 

By  itself,  raw  data  is  wholly  unsuitable  for  our  purpose:  privacy  laws  do  not  describe  regulations 
on  information  flow  at  the  level  of  bytes  or  even  strings.  Instead,  they  assume  various  more  abstract, 
structured  classes  of  data,  such  as  “protected  health  information”  and  “psychotherapy  notes” ,  and 
regulate  according  to  the  classification. 

To  model  these  classes  of  data,  we  follow  LPU’s  lead  and  introduce  attributes  which  have 
sort  attr  and  denote  members  of  the  carrier  set  T.  As  in  LPU,  relationships  between  attributes  are 
characterized  by  a  set  C  of  computation  rules  which  dictate  when  the  value  of  a  principal’s  attribute 
can  be  inferred  from  other  information.  Thus,  a  rule  is  (T,  t)  E  C,  meaning  that,  for  any  principal, 
the  value  of  attribute  t  can  be  inferred  from  the  values  of  the  attributes  in  T  (where  T  C  T  and 
t  E  T)-1  As  an  example  rule,  we  have  ({street,  city,  state} ,  postal-code)  E  C  because  one  can  infer 
the  postal  code  from  combined  knowledge  of  the  street,  city,  and  state.  We  internalize  this  notion 
of  computation  rules  as  the  proposition  t\  E7- t2- 

e-,l\=ti£rt2  iff  ({[^f  },  {hf )  e  c 

To  relate  raw  data  to  its  attribute  classification,  we  introduce  a  semantic  function  data.contents 
that  maps  raw  data  to  its  abstract  contents,  a  subset  of  VxT.  Due  to  the  vast  complexity  of  deciding 
how  raw  data  should  be  classified,  we  cannot  give  an  explicit  definition  for  this  function;  instead, 
we  rely  on  an  oracle  for  its  implementation.  However,  to  capture  both  the  immediate  contents  of 
the  data  and  any  indirect  information  that  can  be  inferred  from  the  immediate  contents,  we  require 
that  the  oracle’s  response  is  closed  with  respect  to  the  computation  rules: 

cl c  o  data_contents  =  data_contents 

where  c\q  is  the  closure  operator  on  subsets  of  V  x  T  with  respect  to  the  computation  rules  in  C. 

As  an  example,  (Bob^,  blood-test^ (11/18/09))  E  data _cont e nt s ( ri )  if  and  only  if  the  raw  data 
d  contains,  either  directly  or  indirectly,  the  results  of  Bob’s  blood  tests  from  November  18,  2009. 

Purposes.  As  argued  in  Section  2.2.1,  we  require  that  our  logic  has  some  way  to  express  disclosure 
purposes.  To  do  so,  we  introduce  a  sort  purp  of  purposes  with  carrier  set  U.  Note  that  parameterized 
purposes,  such  as  treatment (p)  (treatment  performed  by  p),  are  intentionally  allowed. 

The  carrier  set  U  is  equipped  with  a  partial  order  -<u  that  models  purposes’  structure.  If  u±  -<u 
u2,  then  we  say  that  u\  is  a  specific  form  of  the  u2  purpose.  For  example,  administer-blood-testu  <u 
treatment because  administering  a  blood  test  is  a  particular  type  of  treatment  purpose. 

We  internalize  this  partial  order  as  the  proposition  u\  Ew  u2: 

d',1  |=  u\  €u  u2  iff  {ui]e  l'U2}e 

1One  might  consider  generalizing  computation  rules  to  include  the  subject  for  each  attribute,  i.e.,  (A',  (p,  t))  €  C 
where  A  C  V  x  T  and  (p,  t)  €  V  x  T.  However,  we  leave  this  generalization  to  future  work  since  it  becomes  unclear 
how  to  enforce  rules  that  might  hold  for  some  principals  but  might  not  hold  for  others. 


11 


Messages.  By  omitting  message  constructors  and  including  only  a  contents  observer,  LPU’s 
data  model  effectively  assumes  that  all  messages  are  morally  lists  of  subject-attribute  pairs.  This 
assumption  works  well  in  some  cases,  but  ignores  the  fact  that  a  privacy  law  may  circumscribe 
behavior  on  other  message  forms.  For  example,  HIPAA  gives  patients  the  right  to  request  access 
to  their  protected  health  information,  and  requires  that  covered  entities  respond  to  such  requests 
(either  by  granting  or  denying  access).  To  make  a  request  for  access,  the  patient  sends  a  message 
listing  the  information  attributes  that  she  would  like  to  access. 

One  could  possibly  shoehorn  requests  for  access  into  LPU’s  subject-attribute  message  format 
using  a  special  “request-for-access”  attribute  that  is  itself  parameterized  by  the  requested  attribute. 
However,  this  introduces  the  problem  of  who  the  subject  of  a  “request-for-access”  attribute  should 
be,  and  is  somewhat  ad  hoc. 

Therefore,  we  significantly  generalize  the  data  model  of  LPU  by  using  an  extensible  algebraic 
data  type  msg  of  messages,  having  carrier  set  M.  To  recover  the  expressiveness  of  LPU’s  subject- 
attribute  message  format  (with  the  disclosure’s  purpose  added),  we  include  the  info  message  con¬ 
structor: 

info  :  data  x  purp  — >  msg 

Thus,  a  message  info(d,  u)  carries  the  raw  data  d  disclosed  for  purpose  u. 

Because  the  message  data  type  is  extensible,  we  can  add  application-specific  message  forms  as 
necessary.  For  example,  to  cleanly  express  requests  for  access  in  a  formalization  of  HIPAA,  we  may 
add  a  req  jfor_access  message  constructor: 

req_for .access  :  prin  x  attr  — »•  msg 

To  relate  a  message  to  the  personal  information  it  contains,  we  include  the  function  msg  contents 
function,  which  lifts  the  data.contents  function  to  messages.  As  a  general  principle,  msg.contents 
should  be  closed  under  the  computation  rules  in  C.  that  is: 

cl c  °  msg.contents  =  msg.contents 

Since  we  include  the  info^  message  constructor  by  default,  we  specify  its  clause  of  msg.contents 
as: 

msg_contents(info'A/!(d,  u))  =  data_contents(c?) 

Note  that  closure  of  the  contents  of  \nioM  is  inherited  from  data.contents. 

If  we  included  a  req_for_access'V(  message  constructor,  then,  because  a  request  carries  no  data 
(its  subject-attribute  pair  acts  as  a  name  for  the  requested  data),  we  would  define 

msg_contents(req_for_access'A/,((/,  t))  =  {} 

Using  the  msg  contents  function,  we  can  give  the  semantics  for  a  proposition  contains(m,  ( q ,  t )): 
9;1  \=  contains(m,  iff  ([<?]e,  [t ]e)  €  msg_contents([m]0) 

Encoding  a  Trace  in  the  First-Order  Structure 

In  LPU,  the  evolving  system  is  modeled  as  a  trace  a:  an  infinite  sequence  of  states  a  =  S0S1S2 
Each  LPU  state  is  a  tuple  st  =  ( .  pi ,  a*)  of  a  knowledge  map  role  map  p*,  and  an  action  a*.  The 
action  cq  constrains  the  shape  of  the  next  state,  Sj+i  according  to  a  predefined  relation:  sl  s*+i. 
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We  will  use  a  similar  notion  of  trace.  To  associate  with  a  state  the  knowledge  held  by  principals, 
the  roles  to  which  principals  belong,  the  roles  in  which  principals  are  active,  the  set  of  concurrent 
actions  presently  occurring,  its  time,  and  the  interpretation  of  predicates,  we  have  functions  k,  pB , 
pA ,  a,  and  t,  respectively.  States  s  will  then  be  tuples  (n(s),  pB(s),  pA{s),  a(s),  t(s),  t(s)).  We  now 
turn  to  describing  these  components  of  states  in  detail. 

Interpretation  of  Predicates.  So  that  we  may  refer  to  states  within  formula,  we  introduce 
a  new  sort  state  and  associated  carrier  set  S.  States  from  S  are  ordered  according  to  the  total 
order  <st  (and  its  natural  weakening  <st).  In  this  way,  we  may  think  of  states  as  being  natural 
numbers.  This  approach  to  interpreting  formulas  against  traces  by  making  state  explicit  in  formulas 
is  inspired  by  work  on  hybrid  modal  logics  [BlaOO,  CMS06,  Bd03]. 

To  interpret  formulas  of  LFP  over  traces,  we  restrict  ourselves  to  a  fragment  of  the  logic  in  which 
the  first  argument  of  every  atomic  formula  is  the  state  in  which  the  formula  is  to  be  interpreted,  so 
each  atomic  formula  has  the  form  P(s,i)  or  X(s,t).  Given  a  trace  a,  we  define  the  interpretation 
ZCT  so  that  (s,d)  E  Zo-(P)  if  and  only  if  d  E  t(s)(P).  Moreover,  we  define  9;  a  \=  ip  to  mean  the 
satisfaction  9\Xa  |=  <P  as  defined  in  Section  2.3.1. 

Knowledge  and  the  Send  Action.  We  track  the  knowledge  of  each  principal  in  state  s  using 
a  knowledge  map  k(s)  from  V  to  a  subset  of  V  x  T.  (In  other  words,  k(s)  :  V  — >  2Px'B .)  Thus,  if 
(q,t)  E  n(s)(p),  then  we  say  that,  in  state  s,  principal  p  knows  the  value  of  attribute  t  for  subject 

q- 

Provided  that  he  knows  the  contents  of  the  message,  a  principal  p\  can  send  a  message  m  to 
another  principal  p2-  Upon  receiving  the  message,  the  recipient  updates  his  knowledge  state  to 
reflect  the  contents  he  just  learned  and  any  facts  he  can  compute  from  them.  Sending  a  message 
should  not  affect  the  roles  held  by  the  various  principals  in  the  system. 

This  intuition  gives  us  properties  which  must  be  satisfied  by  the  first-order  structure  for  Send 
actions: 

•  For  all  Send(pi,p2j m)  E  a(s),  we  require  msg_contents(m)  C  n(s)(pi). 

•  Let  msgs(p2)  be  defined  as  {m  \  Send(pi,p2,  m)  E  a(s)  for  some  p2}. 

Then,  we  require  n(s  +  l)(p2)  =  cl c(«(s)(p2)  U  Umemsgs(p2)  msg-Contents(m)). 

So  that  we  can  access  the  Send  actions  in  the  logical  formulas,  we  include  a  send(s,pi,p2,  m) 
proposition,  meaning  that  message  m  is  sent  from  p\  to  P2  in  state  s: 

9-la\=send(s,p1,p2,m)  iff  Send([pi  f ,  [p2  J0,  {mf)  E  a(s) 

Roles  and  the  BeginRole  and  EndRole  Actions.  Principals  hold  roles  that  enable  or  restrict 
their  behavior.  For  example,  if  Bob  is  a  doctor,  he  may  (or  at  least  should)  be  able  to  disclose 
or  receive  different  information  than  if  he  were  an  insurance  representative.  To  express  roles,  we 
follow  LPU  and  introduce  a  sort  role  of  roles  and  the  corresponding  carrier  set  7 Z. 

As  in  LPU,  roles  are  equipped  with  a  partial  order  that  expresses  role  specialization.  That 
is,  if  r\  r2  holds,  we  say  that  r\  is  a  specialization  of  role  r2.  For  example,  we  would  expect 
psychiatrist ^  -<ji  doctor ^  since  a  psychiatrist  is  a  special  type  of  doctor. 

We  extend  LPU’s  treatment  of  roles  in  two  ways.  First,  we  allow  general  parameterized  roles; 
only  a  very  limited  and  ad  hoc  form  was  present  in  LPU.  For  example,  we  can  now  cleanly  express 
the  “doctor-of-p”  role  as  doctor (p),  for  each  p. 
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Second,  and  more  significantly,  we  introduce  a  distinction  between  the  set  of  roles  to  which  a 
principal  belongs  and  the  role  in  which  he  currently  acts.  Although  a  principal  may  change  the 
roles  to  which  he  belongs,  belonging  to  a  role  is  generally  a  longer  term  property  than  being  active 
in  a  role.  For  example,  a  doctor  who  is  also  a  member  of  an  oversight  board  would  belong  to  both 
the  doctor  and  oversight-board-member  roles,  but  would  freely  alternate  his  active  role  between  the 
two  from  state  to  state  depending  on  his  duties  in  that  state. 

By  having  an  explicit  notion  of  belonging  to,  and  not  just  acting  in,  a  role,  we  will  be  able  to 
formalize  legal  clauses  that  require  certain  privacy-related  behavior  when  a  client  or  patient  belongs 
to  some  role.  For  example,  §6803(a)  of  GLBA  requires  that  financial  institutions  annually  provide 
customers  with  a  privacy  notice.  If  we  only  had  a  notion  of  transiently  acting  in  a  customer  role, 
this  clause  would  be  difficult,  if  not  impossible,  to  correctly  express  in  our  logic. 

The  roles,  in  state  s,  to  which  principals  belong  and  in  which  they  are  active  are  tracked  using 
distinct  role  maps  pB(s )  and  pA(s ),  respectively.  Because  a  principal  may  belong  to  multiple  roles 
at  once  but  may  be  active  in  at  most  one  role,  pB(s )  is  a  total  function  from  V  to  subsets  of  TZ , 
whereas  pA(s )  is  a  partial  function  from  V  to  TZ. 

A  principal  can  freely  and  silently  change  his  active  role  from  state  to  state,  but  it  must  always 
be  a  role  to  which  he  belongs:  we  require  that 

If  defined,  pA{s)(jp )  E  pB  (s)(p),  for  all  states  s  E  S  and  all  p  E  V. 

To  capture  active  roles  in  the  logical  formulae,  we  include  a  proposition  activerole(s,p,  r),  meaning 
that,  in  state  s,  principal  p  is  active  in  role  r: 

0]Za  \=  activerole(s,p, r)  iff  [r]w  =  pA(s)([p]e) 

To  change  the  set  of  roles  he  belongs  to,  a  principal  must  use  the  following  Begin  Role  and 
End  Role  actions2.  When  starting  to  belong  to  a  new  role,  a  principal  must  also  start  belonging  to 
all  generalizations  of  that  role.  (If  Bob  starts  belonging  to  the  psychiatrist  role,  he  must  also  start 
belonging  to  the  more  general  role  of  doctor.)  Moreover,  no  principals  gain  knowledge  when  one 
starts  belonging  to  a  new  role.  Dually,  when  a  principal  finishes  belonging  to  a  role,  he  must  also 
finish  belonging  to  all  specializations  of  that  role.  (If  Bob  finishes  belonging  to  the  doctor  role, 
he  must  no  longer  hold  the  specialized  psychiatrist  role.)  Again,  no  principals  learn  knowledge 
when  one  finishes  belonging  to  a  role.  In  addition,  to  avoid  race  conditions,  a  principal  should  not 
simultaneously  begin  and  end  belonging  to  a  role. 

This  intuition  yields  the  following  properties  required  of  our  first-order  structure: 

•  Let  roles+(p)  =  {r  |  Begin  Role(p,  r)  E  a(s)}  and  roles- (p)  =  {r  |  EndRole(p,  r)  E  o(s)}.  Then, 
we  require: 

-  pB{s  +  1  )(p)  =  (pb(s)Cp)  u  Ureroies(p)  succ ^(r))  \  Urgroies- (P)  pred^r),  and 

—  succ^TC(?’i)  n  pred^.R(r2)  =  0  for  all  r\  E  roles'1"  (p)  and  r2  E  roles- (p) 
where  succ-^j  (r)  =  {r'  E  1Z  \  r  r'}  and  pred^K(r)  =  {r'  E  TZ  \  r'  r}. 

To  include  in  the  logical  formulae  the  roles  to  which  a  principal  belongs,  we  include  a  proposition 
belongstorole(s,p,  r): 

9;la  |=  belongstorole(s,p, r)  iff  [r  J0  E /9B(s)([p]0) 

^Perhaps  StartBelongingToRole  and  FinishBelongingToRole  would  have  been  more  precise  names,  but  they  are  much 
too  verbose. 
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It  will  also  be  useful  to  have  a  method  for  referencing  the  beginning  and  ending  events  for  a 
principal’s  role.  This  is  found  especially  in  §6803  of  GLBA  (see  Chapter  3).  For  this  purpose,  we 
include  beginrole(s,p,  r)  and  endrole(s,p,  r)  propositions: 

0-,Ia  |=  beginrole(s,p, r)  iff  BeginRoledp]61,  Jr]61)  G  a{s) 

Q\Ta  |=  endrole(s,p, r)  iff  EndRole([p]0,  [r  Jy)  e  a(s) 


Times 

As  described  in  Section  2.2.2,  we  wish  to  express  real-time  properties  similar  to  that  of  Alur  and 
Henzinger’s  TPTL  [AH94].  Consequently,  r(s)  is  the  time  at  which  state  s  occurs. 

We  introduce  a  sort  time  and  the  first-order  function  symbol  time  of  arity  1  so  that  time(s) 
is  interpreted  as  r(s).  Moreover,  propositions  <  and  the  natural  weakening  to  <,  interpreted  as 
a  total  order  on  times,  are  included.  Similarly  to  TPTL,  we  require  that  the  times  assigned  to 
states  observe  a  monotonicity  property:  for  all  states  s  and  s'  such  that  s  <st  s' ,  we  must  have 
time(s)  <  time(s'). 

2.3.3  Syntactic  Sugar 

At  this  point,  we  can  express  temporal  notions  on  the  basis  of  the  particulars  of  our  first-order 
structure.  For  example,  to  say  that,  in  all  states  in  the  future  of  state  s,  principal  p  is  active  in  the 
role  of  an  institution,  we  could  write: 

VLstate.  (s  <st  i)  D  activerole(i,p,  institution ) 

Although  the  needed  expressive  power  is  there,  the  syntax  for  accessing  it  is  somewhat  cum¬ 
bersome.  To  alleviate  this  additional  burden,  we  choose  to  introduce  convenient  syntactic  sugar. 

We  will  express  this  syntactic  sugar  in  the  form  (4>)®s  =  ip,  meaning  that,  if  the  current  state 
is  s,  then  cj)  is  simply  syntactic  sugar  for  ip.  Since  ip  may  itself  contain  propositions  annotated  with 
®s  ,  this  definition  takes  the  flavor  of  a  translation.  This  definition  follows  the  Kripke  semantics 
of  the  standard  LTL  operators  [MP95],  interpreting  the  meta-language  quantifiers,  etc.  as  the 
corresponding  first-order  constructs. 


A_ 

(. X(t))®s 

A_ 

x(s,?) 

(T)®s 

A_ 

T 

((pAip)®8 

A_ 

(j)®s  A  V'®5 

(-0)®s 

_A 

-,(/,®s 

(3 x:t.  0)®s 

A_ 

3 x:t.  (t>®s 

(UX(x).  «{())«■ 

A_ 

(pX(y,x). 

(Wx).  ml)as 

_A 

(uX(y,x). 
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(G  0)®s 

tot)®3 

(D0)@s 

(< bUip)®s 

((pS'ip)®3 

(O0)®° 

(lx.ct>)®s 


4  Vs'.  4>®s' 

=  3s'.  (s  <st  s')  A  4>®s' 

=  Vs',  (s  <st  s')  A  0as/ 

=  3s'.  (s'  <st  s)  A  0®s' 

=  Vs',  (s'  <st  s)  A  (f)&s ' 

=  3j:  state.  (s  <st  j)  A  V;®J  A 

(Vi: state,  (s  <st  i)  A  (i  <st  j)  D  <(>®*) 
=  3j:state.  (j  <st  s)  A  V’®-7  A 

(Vi:state.  (j  <st  i)  A  (i  <st  s)  D  <(>®*) 

A  ^@(s+i) 

=  ([time(s)/x](/>)‘as 


We  can  then  obtain  the  remaining  standard  connectives  by  the  usual  duality-based  definitions. 


(±)®s 

A_ 

(-iT)®s 

(<£  v 

A_ 

CHM-v/0)®5 

(</>  D  V’)@s 

A_ 

(-.</>  v^)®s 

(Vaxr.  4>)®s 

A_ 

(-.3  x:t.^)®s 

(fiWi/j)®8 

A_ 

((^W^)VD0)« 

We  claim  that  all  of  these  abbreviations  are  semantically  justified,  given  an  expected  semantics  for 
a  first-order  version  of  the  modal  //-calculus  [BS06].  However,  because  the  underlying  first-order 
logic  with  least  and  greatest  fixed  point  operators  is  the  smallest  necessary  core,  we  do  not  pursue 
the  second  semantics  needed  to  make  this  claim  precise. 


2.4  Conclusion 

In  this  chapter,  we  have  presented  PrivacyLFP,  a  particular  signature  of  first-order  logic  with  fixed 
point  operators,  as  an  extension  of  the  privacy  fragment  of  LPU.  We  motivated  the  key  extensions 
through  the  use  of  concrete  examples  from  GLBA  and  HIPAA.  Although  PrivacyLFP  does  not 
include  temporal  operators  as  primitive  connectives,  we  gave  a  set  of  convenient  abbreviations  for 
them  in  terms  of  constructs  provided  by  the  first-order  structure. 

With  this  logic  in  hand,  we  are  now  prepared  to  tackle  the  formalization  of  GLBA  and  HIPAA. 
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Chapter  3 

Gramm-Leach-Bliley  Act 


In  this  chapter,  we  present  a  complete  formalization  of  the  privacy  component  of  the  Gramm-Leach- 
Bliley  Act  (GLBA)  [US  99],  namely  §§6802  and  6803.  We  begin  with  a  top-level  formula  and  then 
proceed  clause-by-clause  through  the  law. 

3.1  Top-Level  Formula 

We  need  a  means  of  combining  the  (positive  and)  negative  norms  we  will  obtain  from  a  clause-by- 
clause  consideration  of  GLBA.  As  in  LPU,  this  is  done  by  a  top-level  formula;  it  is  the  top-level 
formula  that  is  checked  when  verifying  that  a  trace  of  actions  complies  with  the  privacy  law.  The 
top-level  formula  that  we  propose  for  GLBA  is: 

G  ((Vp'^p^prin.  VW:msg. 

hlsend)/^ ,  p2  ■  m')  D 

(mnaysend(pi,p2,  m).  Vd:data.  Vrnpurp.  Vg:prin.  VLattr. 

(to  =  info(d,  u ))  A  contains(m,  q,  t )  D 

</?6802ae  ^  ^6802be  ^ 

7^6802c  A  7^6802d 

WnP'n™'))  A 
(V(?,p:prin.  Vr:role. 

beginrole((7,  r)  A  (r  =  customer(p ))  D 

^6803a  V  <^6803(11 )) 

where  hlsend  is  a  macro  defining  an  abstraction  over  the  physical  recipient  of  the  message,  as 
described  in  the  discussion  of  §6809(9).  Note  the  use  of  the  greatest  fixed  point  operator,  as 
motivated  in  Section  2.2.3;  this  is  a  novel  feature  of  our  work. 

Also,  note  that  GLBA  places  obligations  on  the  action  of  beginning  to  hold  a  role,  so  these 
obligations  live  outside  the  greatest  fixed  point  for  send  actions. 
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3.2  §6802  Obligations  with  respect  to  disclosures  of  personal  in¬ 

formation 

6802(a)  Notice  Requirements 

Except  as  otherwise  provided  in  this  subtitle,  a  financial  institution  may  not,  directly 
or  through  any  affiliate,  disclose  to  a  nonaffiliated  third  party  any  nonpublic  personal 
information,  unless  such  financial  institution  provides  or  has  provided  to  the  consumer 
a  notice  that  complies  with  section  6803  of  this  title. 

^ 6802a  —  activerole(pi,  institution )  A 

-■activerole(p2>  affiliate  (pi))  A 
belongstorole(g,  consumerfpi ))  A 
(t  Gr  npi )  D 

hlsend(pi,  q,  m")  A 

is-notice-of-disclosure(m//,pi,p2,  (q,  t),  u))  V 

0(3m".  hlsend(pi,  q,  m")  A 

is-notice-of-disclosure(m//,pi,p2,  ( q ,  t),  u)) 


6802(b)  Opt  Out 

As  we  will  see,  6802(b)  contains  a  negative  norm  and  an  exception.  Therefore,  we  define: 

—  A  -  \,  + 

V9 6802b  —  (/96802bl  V  <*96802b2 

6802(b)(1)  In  General 

A  financial  institution  may  not  disclose  nonpublic  personal  information  to  a  nonaf¬ 
filiated  third  party  unless — 

(A)  such  financial  institution  clearly  and  conspicuously  discloses  to  the  consumer,  in 
writing  or  in  electronic  form  or  other  form  permitted  by  the  regulations  prescribed 
under  section  6804  °.f  this  title,  that  such  information  may  be  disclosed  to  such 
third  party; 

(B)  the  consumer  is  given  the  opportunity,  before  the  time  that  such  information  is 
initially  disclosed,  to  direct  that  such  information  not  be  disclosed  to  such  third 
party;  and 

(C)  the  consumer  is  given  an  explanation  of  how  the  consumer  can  exercise  that  nondis¬ 
closure  option. 

At  first  glance,  it  appeared  to  us  that  6802(a)  and  6802(b)(1)(A)  impose  the  same  requirement. 
However,  we  now  interpret  6802(a)  as  requiring  notices  regarding  disclosures  that  have  taken  or  will 
actually  take  place,  whereas  6802(b)(1)  requires  notice  of  the  kinds  of  disclosures  an  institution 
may  potentially  make.  Assuming  that  c  is  a  constant  representing  the  minimum  length  of  the 
consumer’s  opportunity  for  opt-out,  we  can  capture  this  clause  as: 

V96802bi  —  lx-  activerole(pi,  institution )  A 

-iactiverole(p2i  affiliate  (pi))  A 
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belongstorole(g,  consumer(pi))  A 
(t  Gr  npi) 

(-■  3m'".  hlsend(g,pi,  m,,/)  A 

is-opt-out(m/",pi,p2,  ( q,t),u ))  5 
(|y-  (x  >  y  +  c)  A 

3m".  hlsend(pi,  <7,  m")  A 

is-notice-of-potential-disclosure(m",pi,p2)  (9,  £),  it)) 


6802(b)(2)  Exception 

This  subsection  shall  not  prevent  a  financial  institution  from  providing  nonpublic 
personal  information  to  a  nonaffiliated  third  party  to  perform  services  for  or  functions 
on  behalf  of  the  financial  institution,  including  marketing  of  the  financial  institution’s 
own  products  or  services,  or  financial  products  or  services  offered  pursuant  to  joint 
agreements  between  two  or  more  financial  institutions  that  comply  with  the  requirements 
imposed  by  the  regulations  prescribed  under  section  6804  of  this  title,  if  the  financial 
institution  fully  discloses  the  providing  of  such  information  and  enters  into  a  contractual 
agreement  with  the  third  party  that  requires  the  third  party  to  maintain  the  confidentiality 
of  such  information. 

(36802b2  —  activerole(pi,  institution )  A 

-iactiverole(p2,  affiliate(pi))  A 
belongstorole(g,  consumer  (pi))  A 
(t  €7-  npi )  A 

(u  Gy  perform- services)  A 
<$>(3m".  hlsend(pi,  q,  m")  A 

is-notice-of-potential-disclosure(m",pi,p2)  (<7,  £),«))  A 
exists-confidentiality-agreement  (pi,P2,t) 

6802(c)  Limits  on  Reuse  of  Information 

Except  as  otherwise  provided  in  this  subchapter,  a  nonaffiliated  third  party  that  re¬ 
ceives  from  a  financial  institution  nonpublic  personal  information  under  this  section 
shall  not,  directly  or  through  an  affiliate  of  such  receiving  third  party,  disclose  such  in¬ 
formation  to  any  other  person  that  is  a  nonaffiliated  third  party  of  both  the  financial 
institution  and  such  receiving  third  party,  unless  such  disclosure  would  be  lawful  if  made 
directly  to  such  other  person  by  the  financial  institution. 

This  clause  was  the  key  to  motivating  the  introduction  of  greatest  fixed  points  into  PrivacyLFP, 
as  seen  in  Section  2.2.3.  We  critically  need  to  be  able  to  refer  to  maysend(j/,p2>  Tn")  to  model  the 
requirement  that  information  may  not  be  reused  “unless  such  disclosure  would  be  lawful  if  made 
directly  to  such  other  person  by  the  financial  institution.”  We  need  some  way  to  characterize 
GLBA’s  reflection  on  its  own  definition  of  lawful  disclosures;  fixed  points  fit  the  bill. 

^ 6802c  —  Vp',m".  -iactiverole(pi,  affiliate(p'))  A 
(-■activerole(p2>  affiliate (p'))  A 
-iactiverole(p2>  o,ffiliate(pi)))  A 
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( t  G7-  npi)  A 
<3>(hlsend(y  ,pi,  m")  A 
contains  (m",  q,  t)  A 
activerole(jy,  institution )  A 
-iactiverole(pi,  affiliate  (p'))  A 
belongstorole(g,  consumer (p')))  D 
<$> maysend (p',P2,  m” ) 

6802(d)  Limitations  on  the  Sharing  of  Account  Number  Information  for  Mar¬ 
keting  Purposes 

A  financial  institution  shall  not  disclose,  other  than  to  a  consumer  reporting  agency, 
an  account  number  or  similar  form  of  access  number  or  access  code  for  a  credit  card 
account,  deposit  account,  or  transaction  account  of  a  consumer  to  any  nonaffiliated 
third  party  for  use  in  telemarketing,  direct  mail  marketing,  or  other  marketing  through 
electronic  mail  to  the  consumer. 

This  captures  the  fact  that  if  an  institution  p±  ever  sends  an  account  number,  or  similar  form 
of  access  number  or  code,  to  a  nonaffiliated  third  party  p 2  which  uses  the  number  for  marketing 
purposes,  then  p2  must  be  a  consumer  reporting  agency.  This  is  a  subtly  different  notion  from 
preventing  the  institution’s  disclosure  from  being  marketing  related,  and  critically  depends  on  the 
use  of  temporal  future  modalities. 

cpggojd  =  activerole(pi,  institution )  A 

^activerole(p2,  affiliate(pi))  A 
belongstorole(g,  consumer {p\ ))  A 
( t  G7-  account-number )  A 
<ffi(3p',  m" ,  d’ ,  u’ ,  t' .  hlsend (p2 ,  p' ,  m" )  A 
(m"  =  info(d/,  u'))  A 
contains (m" ,  q,t')  A 
(t'  67- 1 )  A 

( u '  marketing ))  D 

activerole(p2 ,  consumer-reporting-agency) 


6802(e)  General  Exceptions 

Subsections  (a)  and  (b)  of  this  section  shall  not  prohibit  the  disclosure  of  nonpublic 
personal  information — 


Therefore,  we  create  versions  of  6802(a)  and  (b)  which  carry  the  exceptions  listed  here: 


y>6802ae 


_A_  —  .  , 

~  ^ 6802a  V 

^6802el  V  ^ 6802e2  V 

^6802e3  V  ^680264  V 

^6802e5  V  <^6802e6  V 

^6802e7  V  <^6802e8 


and 
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¥> 6802be  —  ¥>6802b  V 

¥>6802el  V  P 6802e2  V 
¥> 6802e3  V  ¥>6802e4  V 
¥>6802e5  V  ¥>6802e6  V 
¥> 6802eT  V  ¥>6802e8 

6802(e)(1) 

as  necessary  to  effect,  administer,  or  enforce  a  transaction  requested  or  authorized 
by  the  consumer,  or  in  connection  with — 

(A)  servicing  or  processing  a  financial  product  or  service  requested  or  authorized  by  the 
consumer; 

(B)  maintaining  or  servicing  the  consumer’s  account  with  the  financial  institution,  or 
with  another  entity  as  part  of  a  private  label  credit  card  program  or  other  extension 
of  credit  on  behalf  of  such  entity;  or 

(C)  a  proposed  or  actual  securitization,  secondary  market  sale  (including  sales  of  ser¬ 
vicing  rights),  or  similar  transaction  related  to  a  transaction  of  the  consumer; 

We  have  the  following  positive  norm  for  this  exception.  Given  GLBA’s  lack  of  further  specifica¬ 
tion  of  “extension  of  credit  on  behalf  of” ,  we  choose  to  implement  this  feature  with  a  new  predicate, 
extends-credit-on-behalf,  whose  semantics  are  given  by  an  oracle. 

i°6802ei  —  {u  £ u  process-consumer-authorized-service(q ))  V 

((V-  \p'  =  Pi)  V 

extends-credit-on-behalf  (p\ ,  p' ) )  A 
(u  £u  maintain- consumer- account (q,p')))  V 
(u  £u  securitization-sale-etc(q)) 

6802(e)(2) 

with  the  consent  or  at  the  direction  of  the  consumer; 

Again,  we  rely  on  an  oracle  to  give  semantics  to  the  new  is-consent-for-disclosure: 

¥>6802e2  -  3m"-  0  hlsend (q,pi,  m" )  A 

is-consent-for-disclosure^", pi,p2 ,  ( q ,  t),u) 

6802(e)(3) 

(A)  to  protect  the  confidentiality  or  security  of  the  financial  institution’s  records  per¬ 
taining  to  the  consumer,  the  service  or  product,  or  the  transaction  therein; 

(B)  to  protect  against  or  prevent  actual  or  potential  fraud,  unauthorized  transactions, 
claims,  or  other  liability; 

(C)  for  required  institutional  risk  control,  or  for  resolving  customer  disputes  or  in¬ 
quiries; 

(D)  to  persons  holding  a  legal  or  beneficial  interest  relating  to  the  consumer;  or 
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(E)  to  persons  acting  in  a  fiduciary  or  representative  capacity  on  behalf  of  the  con¬ 
sumer; 

^6802e3  —  (u  protect-records- security (q))  V 

( u  fraud-prevention)  V 

((u  &u  required-risk- control)  V 
( u  £u  resolve-customer-dispute(q)))  V 
activerole(p2j  beneficial-interest(q))  V 
activerole(p2 ,  financial-representative(q) ) 

6802(e)(4) 

to  provide  information  to  insurance  rate  advisory  organizations,  guaranty  funds  or 
agencies,  applicable  rating  agencies  of  the  financial  institution,  persons  assessing  the 
institution’s  compliance  with  industry  standards,  and  the  institution’s  attorneys,  ac¬ 
countants,  and  auditors; 

^6802e4  —  activerole(p2 ,  insurance-rate- advisory- org)  V 
activerole(p2j  guaranty -agency)  V 
activerole(p2,  rating- agency  (pi))  V 
activerole(p2>  compliance-assessorfpi))  V 
(activerole^,  attorney  (pi))  V 
activerole(p2>  accountant  (pi))  V 
activerole(p2>  auditor  (pi))) 

6802(e)(5) 

to  the  extent  specifically  permitted  or  required  under  other  provisions  of  law  and  in 
accordance  with  the  Right  to  Financial  Privacy  Act  of  1978  [12  U.S.C.  3401  et  seq.f, 
to  law  enforcement  agencies  (including  a  Federal  functional  regulator,  the  Secretary  of 
the  Treasury  with  respect  to  subchapter  II  of  chapter  53  of  title  31,  and  chapter  2  of 
title  I  of  Public  Law  91-508  (12  U.S.C.  1951-1959),  a  State  insurance  authority,  or  the 
Federal  Trade  Commission),  self-regulatory  organizations,  or  for  an  investigation  on  a 
matter  related  to  public  safety; 

(/26802e5  —  (specifically-permitted-or-required-by-law(pi , p2,  (q,t),u)  V 

in-accordance-with-Right-to-Financial-Privacy-Act-of-1978(pi,p2i  (q,  t),  u))  V 
activerole(p2j  law-enforcement- agency)  V 
activerole(p2,  self -regulatory- org)  V 
(u  public-safety-investigation) 

To  simplify  our  formalization  of  GLBA,  we  assume  that  an  oracle  provides  semantics  for  the  new 
predicate  in-accordance-with-Right-to-Financial-Privacy-Act-of-1978;  a  formalization  of  that  law 
would  eliminate  the  need  for  this  oracle,  but  we  choose  not  to  do  so.  On  the  other  hand,  we  use 
an  oracle  to  give  semantics  for  the  permitted-required-by-law  out  of  necessity:  we  cannot  possibly 
give  formalizations  of  all  laws  or  a  semantics  for  all  possible  judicial  interpretations  of  those  laws. 
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6802(e)(6) 


(A)  to  a  consumer  reporting  agency  in  accordance  with  the  Fair  Credit  Reporting  Act 
[15  U.S.C.  1681  et  seq.[,  or 

(B)  from  a  consumer  report  reported  by  a  consumer  reporting  agency; 

^6802e6  —  (activerole(p2>  consumer-reporting-agency )  A 

in-accordance-witli-Fair-Credit-Reporting- Act (p \,P2,  ( q ,  t),  u))  V 
<$>(3]/,  activerole(p',  consumer-reporting-agency )  A 
hlsend(|/,  p\ ,  rri")  A 
is-consumer-report(m//)  A 
contains(m//,  q ,  t )) 

Oracles  are  assumed  for  the  is-consumer-report  and  in-accordance- with-Fair-Credit-Reporting-Act. 

6802(e)(7) 

in  connection  with  a  proposed  or  actual  sale,  merger,  transfer,  or  exchange  of  all 
or  a  portion  of  a  business  or  operating  unit  if  the  disclosure  of  nonpublic  personal 
information  concerns  solely  consumers  of  such  business  or  unit;  or 

^6802e7  —  ^p' i  p" ■  belongstorol e(p" ,  subunit(p'))  A 
(( U  eu  sale(p "))  V 
(u  merger (p"))  V 

(u  transfer(p"))  V 

(u  exchange (p")))  A 

belongstorole(c/,  consumer {jp")) 

6802(e)(8) 

to  comply  with  Federal,  State,  or  local  laws,  rules,  and  other  applicable  legal  require¬ 
ments;  to  comply  with  a  properly  authorized  civil,  criminal,  or  regulatory  investigation 
or  subpoena  or  summons  by  Federal,  State,  or  local  authorities;  or  to  respond  to  judi¬ 
cial  process  or  government  regulatory  authorities  having  jurisdiction  over  the  financial 
institution  for  examination,  compliance,  or  other  purposes  as  authorized  by  law. 

^6802e8  —  (u  compliance-with-legol-requirements )  V 

(( u  compliance-with-investigation )  V 
(u  £u  compliance- with- summons))  V 
(<$>(37nw.  hlsend(p2jPii m")  A 

is-response-to(m,  m"))  A 
(activerole(p2,  judicial-process)  V 
activerole(p2,  government-regulatory- authority  (pi)))  A 
(u  authorized-by-law (P2))) 

Note  that  we  capture  purposes  for  which  the  judicial  process  or  regulatory  authority,  P2,  is  autho¬ 
rized  by  law  by  structuring  those  purposes  so  that  they  are  subpurposes  of  authorized-by-law(p2). 
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3.3  §6803  Disclosure  of  institution  privacy  policy 

6803(a)  Disclosure  Required 

At  the  time  of  establishing  a  customer  relationship  with  a  consumer  and  not  less 
than  annually  during  the  continuation  of  such  relationship,  a  financial  institution  shall 
provide  a  clear  and  conspicuous  disclosure  to  such  consumer,  in  writing  or  in  electronic 
form  or  other  form  permitted  by  the  regulations  prescribed  under  section  680f  of  this 
title,  of  such  financial  institution  s  policies  and  practices  with  respect  to — 

(1)  disclosing  nonpublic  personal  information  to  affiliates  and  nonaffiliated  third  par¬ 
ties,  consistent  with  section  6802  of  this  title,  including  the  categories  of  informa¬ 
tion  that  may  be  disclosed; 

(2)  disclosing  nonpublic  personal  information  of  persons  who  have  ceased  to  be  cus¬ 
tomers  of  the  financial  institution;  and 

(3)  protecting  the  nonpublic  personal  information  of  consumers. 

To  capture  this  requirement,  we  want  to  enforce  continuing  annual  notices  for  each  principal 
that  begins  a  customer  role  with  the  financial  institution.  To  do  so,  we  use: 

G  \/q,  r ,  pi .  beginrole(g,  r)  A 

(r  =  customer(p\ ))  D 

^ 6803a  V  <^6803di 

where  <^803di  is  defined  below  and 

^ 6803a  -  (3m"-  hlsend(pi,  q,  m")  A 

is-annual-notice(m//,pi,  q))  A 
((4.x.  <>(ty-  (y  <  x  +  365)  a 

((3m" .  hlsend(pi ,  q,  m")  A 

is-annual-notice(?n//,pi,  q ))  V 
endrole(g,  customer  (pi)))))  W 
endrole(g,  customer  (pi))) 

Note  the  use  of  the  weak  until  operator  VV.  The  weak  version  is  necessary  because  it  is  possible  (in 
theory)  that  a  customer  relationship  never  ends. 

This  clause  was  a  primary  motivating  factor  in  our  decision  to  distinguish  active  roles  from  the 
roles  to  which  a  principal  belongs.  If  we  had  only  a  notion  of  active  role,  it  would  be  difficult  to 
speak  about  a  continuing  customer  relationship. 

6803(b)  Regulations 

Disclosures  required  by  subsection  (a)  shall  be  made  in  accordance  with  the  regula¬ 
tions  prescribed  under  section  6804  °f  this  title. 

§6804  talks  about  individual  regulations  enacted  by  various  oversight  bureaus.  If  we  were  to 
model  all  of  these  individual  regulations,  then  more  would  need  to  be  done  here.  However,  since 
we  choose  not  to  model  those  regulations,  this  clause  is  automatically  satisfied. 
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6803(c)  Information  to  be  Included 

The  disclosure  required  by  subsection  (a)  shall  include — 

(1)  the  policies  and  practices  of  the  institution  with  respect  to  disclosing  nonpublic  per¬ 
sonal  information  to  nonaffiliated  third  parties,  other  than  agents  of  the  institution, 
consistent  with  section  6802  of  this  title,  and  including — 

(A)  the  categories  of  persons  to  whom  the  information  is  or  may  be  disclosed,  other 
than  the  persons  to  whom  the  information  may  be  provided  pursuant  to  section 
6802(e)  of  this  title;  and 

(B)  the  policies  and  practices  of  the  institution  with  respect  to  disclosing  of  non¬ 
public  personal  information  of  persons  who  have  ceased  to  be  customers  of  the 
financial  institution; 

(2)  the  categories  of  nonpublic  personal  information  that  are  collected  by  the  financial 
institution; 

(3)  the  policies  that  the  institution  maintains  to  protect  the  confidentiality  and  security 
of  nonpublic  personal  information  in  accordance  with  section  6801  of  this  title;  and 

(4)  the  disclosures  required,  if  any,  under  section  1681a(d)(2)(A)(iii)  of  this  title. 

This  clause  defines  what  it  means  for  a  message  to  be  an  annual  notice,  notice  of  disclosure,  or 
notice  of  potential  disclosure. 

For  example,  although  we  have  previously  assumed  is-annual-notice  to  be  a  predicate,  this  clause 
allows  us  to  define  it  as  a  macro: 

is-annual-notice(m",pi,  q)  =  contains(m",pi,  npi-policies-and-practices )  A 

contains(m,/,pi,  npi- categories- collected)  A 
contains(m//,pi,  npi-security-policies )  A 
cont ains (m" ,  p\ ,  npi- disclosures-to- affiliates ) 

Similarly,  we  may  define  is-notice-of-potential-disclosure  and  is-notice-of-disclosure  as  macros. 
To  do  so,  we  invent  types  of  attributes  that  describe  a  potential  or  actual  disclosure: 

is-notice-of-potential-disclosure(?n//,pi,p2,  ( q,t),u )  = 
contains(m//,pi,  will-possibly-disclose(pi,  p2,  ( q ,  t),u )) 

and 

is-notice-of-disclosure(m//, pi , p2,  ( q,t),u )  = 

contains(m//,pi,  has-or-will-disclose(pi1  p2,  ( q ,  t ),  u )) 

6803(d)  Exemption  for  Certified  Public  Accountants 
6803(d)(1)  In  General 

The  disclosure  requirements  of  subsection  (a)  do  not  apply  to  any  person,  to  the 
extent  that  the  person  is — 

(A)  a  certified  public  accountant; 

(B)  certified  or  licensed  for  such  purpose  by  a  State;  and 
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(C)  subject  to  any  provision  of  law,  rule,  or  regulation  issued  by  a  legislative  or  reg¬ 
ulatory  body  of  the  State,  including  rules  of  professional  conduct  or  ethics,  that 
prohibits  disclosure  of  nonpublic  personal  information  without  the  knowing  and 
expressed  consent  of  the  consumer. 

^6803di  —  35.  belongstorole(5,  State )  A 

activerole(pi,  certified-public- accountant (S))  A 
subject-to-ethical-disclosure- provisional ,  S ) 

Again,  we  assume  that  the  semantics  of  the  subject-to-ethical-disclosure-provision  predicate  are 
given  by  an  oracle. 

6803(d)(2)  Limitation 

Nothing  in  this  subsection  shall  be  construed  to  exempt  or  otherwise  exclude  any 
financial  institution  that  is  affiliated  or  becomes  affiliated  with  a  certified  public  accoun¬ 
tant  described  in  paragraph  (1)  from  any  provision  of  this  section. 

We  ensure  this  condition  by  requiring  that  our  model  satisfies  the  following  constraint  in  every 
state: 

-i(belongstorole(p,  institution )  A 
belongstorole(p,  affiliate (p))) 

3.4  §6809  Definitions 

6809(5)  Nonaffiliated  Third  Party 

The  term  ‘nonaffiliated  third  party’  means  any  entity  that  is  not  an  affiliate  of, 
or  related  by  common  ownership  or  affiliated  by  corporate  control  with,  the  financial 
institution,  but  does  not  include  a  joint  employee  of  such  institution. 

This  condition  is  ensured  by  our  general  approach.  A  joint  employee  can  be  active  in  at  most 
one  of  his  employers’  roles;  being  active  in  the  institution  role  does  not  force  him  to  simultaneously 
act  in  the  nonaffiliate  role. 

6809(9)  Consumer 

The  term  ‘consumer’  means  an  individual  who  obtains,  from  a  financial  institution, 
financial  products  or  services  which  are  to  be  used  primarily  for  personal,  family,  or 
household  purposes,  and  also  means  the  legal  representative  of  such  an  individual. 

In  effect,  this  clause  is  stating  that  anywhere  “consumer”  was  stated  in  the  law,  the  individual’s 
legal  representative  is  a  suitable  substitute.  For  example,  the  institution  may  choose  to  send 
disclosure  notices  to  a  consumer’s  legal  representative,  rather  than  sending  them  directly  to  the 
consumer.  To  handle  this,  we  introduce  a  high-level  send  macro  that  abstracts  away  from  the 
low-level,  physical  send  action  provided  by  our  model:  a  high-level  send  to  p2  is  either  a  low-level 
send  to  p2  or  a  low-level  send  to  p2’s  legal  representative. 
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hlsendQq .  j)2,  rri)  =  seml(p\ ,  P2,  rri) 

V  (zip).  send(p'1,p2,m)  A 

activerole(j/, ,  legal-representative(pi))  A 
3p' .  belongstorole(pi,  consumer(p'))  A 
belongstorole^',  institution )) 

V  (3p'2.  send(pi,p2,  m)  A 

activerole^,  legal-representative{p2))  A 
zip'.  belongstorole(p2,  consumer(p'))  A 
belongstorole(p',  institution )) 

All  uses  of  send  in  the  norms  would  then  be  replaced  by  hlsend  (as  we  have  done  consistently 
far). 

6809(11)  Customer  Relationship 

The  term  ‘time  of  establishing  a  customer  relationship  ’  shall  be  defined  by  the  regu¬ 
lations  prescribed  under  section  6804  of  this  title,  and  shall,  in  the  case  of  a  financial 
institution  engaged  in  extending  credit  directly  to  consumers  to  finance  purchases  of 
goods  or  services,  mean  the  time  of  establishing  the  credit  relationship  with  the  con¬ 
sumer. 

Hence,  we  require  that  the  underlying  model’s  role  structure  satisfies 

customer  (pi)  consumer  (p\) 


for  all  financial  institutions  p\ . 


so 
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Chapter  4 

Health  Insurance  Portability  and 
Accountability  Act 


In  this  chapter,  we  give  our  formalization  of  §§164.502,  164.506,  164.508,  164.510,  164.512,  164.514, 
and  164.524  of  the  Health  Insurance  Portability  and  Accountability  Act  of  1996  (HIPAA)  [US  02]. 
In  addition,  for  the  clauses  also  formalized  by  Lam  et  al.  in  Datalog  (i.e. ,  §§164.502,  164.506, 
and  164.510)  [LMS09,  Sta],  we  give  a  comparison  of  our  method  with  their  formulation.  In  this 
comparison,  Datalog  code  snippets  are  shown  in  monospace  font. 

4.1  Top-Level  Formula 

As  in  our  formalization  of  GLBA,  we  require  a  top-level  formula  that  combines  the  individual 
positive  and  negative  norms.  It  is  this  formula  that  is  checked  when  verifying  compliance  of  a  trace 
a  with  the  law.  For  HIPAA,  we  propose  the  top-level  formula: 

G  Vpi,p2:phn.  Vm:msg. 

send(pi,p2, m)  A 

(Vd:data.  Vrnpurp.  Vg:prin.  VLattr. 

(m  =  info(7i,  u ))  A  contains(m,  q,  t )  D 

Vi<Pi  A  A*^r)  a 

(VLattr. 

(m  =  req_for .access (p±,  t))  D 

^164.524b2i'  ^  ^164 . 524b2ii' ) 

Note  that  HIPAA  does  not  contain  clauses  that  require  fixed  points,  and  so  we  have  no  greatest 
fixed  point  operator  umaysend{pi,p2,m).  as  we  did  in  the  top-level  formula  for  GLBA. 

4.2  §164.502  Uses  and  disclosures  of  protected  health  information: 
General  rules 

permitted_by_164_502(A) 
permitted_by_164_502_a(A) ; 
permitted_by_164_502_b(A) ;  %must  satisfy 
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permitted_by_164_502_c (A) ; 
permitted_by_164_502_d(A) ; 
permitted_by_164_502_e(A)  ;  °/„must  satisfy 
permitted_by_164_502_f (A) ; 
permitted_by_164_502_g(A) ; 
permitted_by_164_502_h(A)  ; 
permitted_by_164_502_i (A) ; 
permitted_by_164_502_j (A) . 

We  have  no  norm  that  corresponds  to  this  Datalog  clause.  This  is  because  we  choose  to  flatten 
the  permission  structure,  and  so  any  positive  norms  that  arise  from  §164.502  will  be  directly  inserted 
into  our  top-level  formula  when  they  appear. 

164.502(a) 

A  covered  entity  may  not  use  or  disclose  protected  health  information,  except  as 
permitted  or  required  by  this  subpart  or  by  subpart  C  of  part  160  of  this  subchapter. 

permitted_by_164_502_a(A) 
is_from_coveredEntity (A)  , 
is_phi (A) , 

(permitted_by_160_C(A) ; 

permitted_by_164_502_a_l (A) ; 

required_by_164_502_a_2(A) ) . 

Again,  we  have  no  corresponding  norm  because  the  norms  implied  by  §164. 502(a)(1)  and  (2) 
will  be  included  when  we  reach  those  sections. 

164.502(a)(1) 

A  covered  entity  is  permitted  to  use  or  disclose  protected  health  information  as  fol¬ 
lows: 

permitted_by_164_502_a_l (A) 
permitted_by_164_502_a_l_i (A) ; 
permitted_by_164_502_a_l_ii (A) ; 
permitted_by_164_502_a_l_iii (A) ; 
permitted_by_164_502_a_l_iv(A) ; 
permitted_by_164_502_a_l_v(A) ; 
permitted_by_164_502_a_l_vi (A) . 

Again,  in  our  approach,  we  have  no  corresponding  norm. 

164.502(a)(l)(i) 

To  the  individual; 


29 


permitted_by_164_502_a_l_i (A) 

(is_to_concernedIndividual (A) ; 

is_f rom_concernedIndividual (A) ) , 
writeln(’ HIPAA  rule  164_502_a_l_i ; ’ ) . 

We  include  the  positive  norm: 

V9i64.502aii  —  activerole(pi ,  covered- entity)  A 

(P2 ~  q)  a 

(t  G7-  phi) 

where 

(p2  ~  q)  =  activerole(p2i  personal-representative(q))  V  (p-2  =  g) 

Unlike  Lam  ef  oi.’s  Datalog  formulation,  we  do  not  believe  that  this  HIPAA  clause  allows  the 

individual  to  send  messages.  This  is  a  reasonable  property  to  expect,  but  is  captured  elsewhere. 

164.502(a)(l)(ii) 

For  treatment,  payment,  or  health  care  operations,  as  permitted  by  and  in  compliance 
with  §  164  -5 06; 

permitted_by_164_502_a_l_ii (A)  : - 
is_f or_eitherPurpose (A) , 
permitted_by_164_506 (A) , 
writeln( ’HIPAA  rule  164_502_a_l_ii ; ’ ) . 

Again,  we  have  no  corresponding  norm.  §164.506  will  insert  positive  norms  directly  into  the 

top-level  formula. 

164.502(a)  (l)(iii) 

Incident  to  a  use  or  disclosure  otherwise  permitted  or  required  by  this  subpart,  pro¬ 
vided  that  the  covered  entity  has  complied  with  the  applicable  requirements  of§164-502(b), 

§164- 514(d),  and  §164-530(c)  with  respect  to  such  otherwise  permitted  or  required  use 
or  disclosure; 

permitted_by_164_502_a_l_iii (A)  : - 
is_f or_incidentToUse (A) , 
permitted_by_164_502_b(A) , 
permitted_by_164_514_d(A) , 
permitted_by_164_530_c (A) , 
writeln( ’HIPAA  rule  164_502_a_l_iii ; ’ ) . 

^i64.502aiiii  —  incident-to-use-disclosure(pi , P2,  ( q,t),u ) 
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164.502(a)  (l)(iv) 

Pursuant  to  and  in  compliance  with  a  valid  authorization  under  § 164-508 ; 

permitted_by_164_502_a_l_iv(A)  : - 

require_authorization_by_164_508(A) , 
writeln( ’HIPAA  rule  164_502_a_l_iv; ’ ) . 

To  allow  disclosures  that  have  valid  authorizations,  we  include  the  positive  norm: 

^i64.502aiiv  —  activerole(pi ,  covered- entity)  A 
(' t  £-]-  phi)  A 

obtained-authorization-164.508(pi,p2>  (<?,  t),  u) 

The  constraints  on  the  process  of  obtaining  an  individual’s  authorization  are  imposed  directly  in 

§164.508. 

164.502(a) (l)(v) 

Pursuant  to  an  agreement  under,  or  as  otherwise  permitted  by,  § 164-510 ;  and 

permitted_by_164_502_a_l_v(A) 
permitted_by_164_510 (A) , 
writeln( ’HIPAA  rule  164_502_a_l_v; ’ ) . 

Again,  we  have  no  directly  corresponding  norm.  §164.510  will  insert  the  relevant  norms  into 

the  top-level  formula. 

164.502  (a)  (l)(vi) 

As  permitted  by  and  in  compliance  with  this  section,  § 164-512 ,  or  §164-514(e),  (f), 
or  (g). 

permitted_by_164_502_a_l_vi (A)  : - 
permitted_by_164_512 (A) ; 
permitted_by_164_514_e (A) ; 
permitted_by_164_514_f (A) ; 
permitted_by_164_514_g(A) . 

Again,  we  have  no  corresponding  norm. 

164.502(a)(2) 

A  covered  entity  is  required  to  disclose  protected  health  information: 

°/0required  by!  ! 

required_by_164_502_a_2 (A) 
required_by_164_502_a_2_i (A) ; 
required_by_164_502_a_2_ii (A) . 

Again,  we  have  no  corresponding  norm. 
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164.502(a)(2)(i) 

To  an  individual,  when  requested  under,  and  required  by  § 164-524  or  § 164-528 ;  and 

required_by_164_502_a_2_i (A) 
is_to_concernedIndividual (A) , 
is_replyTo_request (A) , 

(required_by_164_524(A) ; 

required_by_164_528(A) ) , 
writeln(’HIPAA  rule  164_502_a_2_i ; ’ ) . 

We  have  no  directly  corresponding  norm.  Instead,  a  “requirement”  splits  into  two  pieces:  a 
positive  norm  that  permits  the  required  flow  and  a  negative  norm  that  obligates  the  covered  entity 
to  ensure  that  the  required  flow  actually  occurs.  For  this  HIPAA  clause,  the  positive  fragment  is 
already  present  via  §164.502(a)(l)(i),  since  that  section  allows  protected  health  information  to  be 
sent  to  the  individual.  The  negative  fragment  will  come  from  §164.524. 

164.502(a)  (2)  (ii) 

When  required  by  the  Secretary  under  subpart  C  of  part  160  of  this  subchapter  to 
investigate  or  determine  the  covered  entity’s  compliance  with  this  subpart. 

required_by_164_502_a_2_ii (A) 
is_to_secretary (A) , 
is_f or_investigation(A) , 
permitted_by_160_C(A) , 
writeln( ’HIPAA  rule  164_502_a_2_ii ; ’ ) . 

The  positive  fragment  of  this  clause  is  captured  by: 

V9i64.502a2ii  —  activerole(pi ,  covered- entity)  A 
activerole(p2;  Secretary )  A 
(t  Gy  phi )  A 

(u  £u  compliance-investigation(pi)) 

We  do  not  have  a  negative  norm  here:  the  relevant  negative  fragment  of  this  requirement  will  come 
from  §160.310. 


164.502(b) 

permitted_by_164_502_b(A)  :- 
permitted_by_164_502_b_l (A) ; 
excluded_164_502_b_2 (A)  . 


We  introduce  <p164.502b 
(b)(2): 


as  the  negative  norm  from  (b)(1)  with  positive  exceptions  drawn  from 


T 164 . 502b  =  (^164.502bl  V 

T 164. 502b2i  V  <^164 . 502b2ii  V 
T 164. 502b2iii  V  ^164.502b2iv  V 
T 164. 502b2v  ^  ^164 . 502b2vi ) 

This  is  essentially  the  same  as  what  is  done  by  Lam  et  al.. 
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164.502(b)(1) 

When  using  or  disclosing  protected  health  information  or  when  requesting  protected 
health  information  from  another  covered  entity,  a  covered  entity  must  make  reasonable 
efforts  to  limit  protected  health  information  to  the  minimum  necessary  to  accomplish 
the  intended  purpose  of  the  use,  disclosure,  or  request. 

permitted_by_164_502_b_l (A) 
is_from_coveredEntity (A)  , 
is_to_coveredEntity (A) , 
is_belief _f rom_minimum(A) , 
writeln(’HIPAA  rule  164_502_b_l ; ’ ) . 

^164. 502b i  —  activerole(pi,  covered- entity)  A 

(t  Gr  Vhi)  D 

believes-minimum- necessary- for-purpose(pi,y»2,  (q,  t),u ) 

The  predicate  believes-minimum-necessary-for-purpose  is  given  semantics  via  an  oracle. 

164.502(b)(2) 

This  requirement  does  not  apply  to: 

excluded_164_502_b_2(A) 
excluded_164_502_b_2_i (A)  ; 
excluded_164_502_b_2_ii (A) ; 
excluded_164_502_b_2_iii (A) ; 
excluded_164_502_b_2_iv(A) ; 
excluded_164_502_b_2_v(A) ; 
excluded_164_502_b_2_vi (A)  . 

We  have  no  corresponding  norm  since  these  exceptions  were  applied  to  the  previous  negative 

norm  as  part  of  <^i64.502b- 

164.502(b)(2)(i) 

Disclosures  to  or  requests  by  a  health  care  provider  for  treatment; 

excluded_164_502_b_2_i (A) 
is_f or_treatment (A) , 
is_to_healthCareProvider (A) , 
writeln( ’HIPAA  rule  164_502_b_2_i ; ’ ) . 

We  formalize  this  using  our  notion  of  purpose: 

<Pi64.502b2i  —  activerole(p2,  provider)  A 
( u  £u  treatment) 
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164.502(b)  (2)  (ii) 


Uses  or  disclosures  made  to  the  individual,  as  permitted  under  paragraph  (a)(l)(i) 
of  this  section  or  as  required  by  paragraph  (a)(2)(i)  of  this  section; 

excluded_164_502_b_2_ii (A)  :- 
(permitted_by_164_502_a_l_i (A) ; 

required_by_164_502_a_2_i (A) ) , 
writeln(’HIPAA  rule  164_502_b_2_ii ; ’ ) . 

We  have: 

+  A  + 

V9 164.502b2ii  —  ^164.502ali 

Note  that,  because  a  requirement  splits  into  positive  and  negative  fragments,  disclosures  required 
by  paragraph  (a)(2)(i)  are  permitted  by  positive  norms.  It  so  happens  that  for  (a)(2)(i)  the  pos¬ 
itive  piece  is  V9i64.502aii>  since  that  norm  permits  protected  health  information  to  be  sent  to  the 
individual. 

164.502(b)(2)  (iii) 

Uses  or  disclosures  made  pursuant  to  an  authorization  under  $16 f  .508; 

excluded_164_502_b_2_iii (A) 

is_f or_obtainingAuthorization(A) , 
writelnC’HIPAA  rule  164_502_b_2_iii ; ’ ) . 

We  have: 


V9164.502b2iii  —  V9164.502aliv 

Note  that  paragraph  (a)(l)(iv)  defines  when  a  disclosure  is  made  pursuant  to  an  authorization 
under  §164.508. 

164.502(b)  (2)  (iv) 

Disclosures  made  to  the  Secretary  in  accordance  with  subpart  C  of  part  160  of  this 
subchapter; 

excluded_164_502_b_2_iv(A)  : - 
is_to_secretary (A) , 
permitted_by_160_C(A) , 

writeln( ’HIPAA  rule  164_502_b_2_iv; ’ ) . 

We  have: 

+  A  + 

V9164.502b2iv  —  ^164 . 502a2ii 

Note  that  paragraph  (a)(2)(h)  defines  when  a  disclosure  is  made  to  the  Secretary  for  compliance 
with  investigations. 


34 


164.502(b)  (2)  (v) 

Uses  or  disclosures  that  are  required  by  law,  as  described  by  \16Jh512(a);  and 

excluded_164_502_b_2_v(A) 
required_by_164_512_a(A) , 
writeln( ’HIPAA  rule  164_502_b_2_v; ’ ) . 

We  have  the  norm: 

<£>164.502b2v  —  Vie  164.512a 

164.502(b)  (2)  (vi) 

Uses  or  disclosures  that  are  required  for  compliance  with  applicable  requirements  of 
this  subchapter. 

%Need  to  add  all  required  types.  Found  only  this. 

excluded_164_502_b_2_vi (A)  : - 
required_by_164_502_a_2 (A) , 
writeln( ’HIPAA  rule  164_502_b_2_vi ; ’ ) . 

Because  it  appears  that  this  HIPAA  clause  overlaps  with  paragraphs  (b)(2)(H),  (iv),  and  (v), 

we  have  no  norm  for  this  paragraph. 

164.502(c) 

A  covered  entity  that  has  agreed  to  a  restriction  pursuant  to  §164-522(a)(l)  may  not 
use  or  disclose  the  protected  health  information  covered  by  the  restriction  in  violation 
of  such  restriction,  except  as  otherwise  provided  in  §164-522(a). 

permitted_by_164_502_c (A) 

*/.  must  also  check  whether  restriction  exists  for  a  particular  case 
is_from_coveredEntity (A) , 
is_phi (A) , 

(permitted_by_164_522_a_l (A) ; 

permitted_by_164_522_a(A) ) , 
writelnC ’HIPAA  rule  164_502_c ; ’ ) . 

Again,  we  have  no  corresponding  norms  here;  they  will  come  from  §164. 522(a). 

164.502(d) 

permitted_by_164_502_d(A) 
permitted_by_164_502_d_l (A) ; 
permitted_by_164_502_d_2(A) . 
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164.502(d)(1) 

A  covered  entity  may  use  protected  health  information  to  create  information  that  is 
not  individually  identifiable  health  information  or  disclose  protected  health  information 
only  to  a  business  associate  for  such  purpose,  whether  or  not  the  de-identified  informa¬ 
tion  is  to  be  used  by  the  covered  entity. 

permitted_by_164_502_d_l (A) 

’/.use  part  is  not  so  clear,  just  modelled  the  disclosure  part. 
is_phi (A) , 

is_from_coveredEntity (A) , 
is_to_businessAssociateOf (A) , 
is_f or_createDeidentif iedlnf o (A) , 
writeln( ’HIPAA  rule  164_502_d_l ; ’ ) . 

We  have  the  positive  norm: 

W~64.502di  —  activerole(pi,  covered- entity)  A 

activerole(y>2i  business-associate(pi))  A 
(t  £7-  phi)  A 

(u  &u  create- deidentified-info) 

Note  that  we  again  rely  on  purposes  to  capture  the  crucial  component  of  this  HIPAA  clause. 

164.502(d)(2) 

Health  information  that  meets  the  standard  and  implementation  specifications  for  de¬ 
identification  under  §164-514(a)  and  (b)  is  considered  not  to  be  individually  identifiable 
health  information,  i.e.,  de-identified.  The  requirements  of  this  subpart  do  not  apply  to 
information  that  has  been  de-identified  in  accordance  with  the  applicable  requirements 
of  §164-514,  provided  that: 

permitted_by_164_502_d_2 (A) 
permitted_by_164_514(A) , 

(excluded_by_164_502_d_2_i (A) ; 

permitted_by_164_502_d_2_ii (A) ) , 
writelnC’ HIPAA  rule  164_502_b_2 ; > ) . 

In  our  system,  de-identified  information  will  be  classified  as  (t  £7-  dii).  Since  we  ensure  that 

this  class  is  distinct  from  phi ,  we  have  no  norm  here.  All  other  norms  that  we  have  in  HIPAA  will 

include  the  constraint  that  the  attribute  t  is  from  the  class  phi.  Therefore,  de-identified  information 

will  be  able  to  “escape”  those  norms  and  be  sent. 

164.502(d)(2)(i) 

Disclosure  of  a  code  or  other  means  of  record  identification  designed  to  enable  coded 
or  otherwise  de-identified  information  to  be  re-identified  constitutes  disclosure  of  pro¬ 
tected  health  information;  and 
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excluded_by_164_502_d_2_i (A)  :- 

"/.verify  that  the  message  does  not  have  identifiable 
"/.attributes  for  join  like  primary  keys 
fail . 

We  include  the  following  constraint: 

( t  £7-  dii)  =y- 

-i 3m'.  contains(m/,  ( q ,  identification- code))  A 
send  (pi,p2,m') 

where  4>  =4-  V’  means  that,  in  all  states,  (f>  must  imply  if. 

164.502(d)  (2)  (ii) 

If  de-identified  information  is  re-identified,  a  covered  entity  may  use  or  disclose  such 
re-identified  information  only  as  permitted  or  required  by  this  subpart. 

permitted_by_164_502_d_2_ii (A)  : - 

%  verify  that  the  de-indentif ied  information  is  not  re-identified 
fail . 

Since  we  only  classify  (t  £7-  dii)  when  t  has  not  been  re-identified,  we  do  not  need  to  do  anything 
here.  Once  t  is  re-identified,  it  will  be  classified  as  (t  £7-  phi)  and  will  be  appropriately  treated  by 
the  other  norms. 

164.502(e) 

permitted_by_164_502_e (A) 
excluded_164_502_e_l_ii (A) ; 
permitted_by_164_502_e_l_i (A) . 

70not  sure  what  this  means,  non-compliance  of  BA. 

%permitted_164_502_e_l_iii (A) . 

"/surely  cant  implement  this  written  notice  thing. 

%permitted_164_502_e_2 (A) . 

We  have  a  positive  norm  with  negative  restrictions,  forming  a  positive  norm: 

W~64.502e  =  (</,164.502eli  ^ 

</,164.502eliiA  ^  </,164.502eliiB  ^  </,164.502eliic) 

164.502(e)(1) 

164.502(e)(l)(i) 

A  covered  entity  may  disclose  protected  health  information  to  a  business  associate 
and  may  allow  a  business  associate  to  create  or  receive  protected  health  information  on 
its  behalf,  if  the  covered  entity  obtains  satisfactory  assurance  that  the  business  associate 
will  appropriately  safeguard  the  information. 
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7»See  if  the  message  is  allowed  to  be  received  by  any  of  the  covered  entities 
7»of  this  business  associate  or  if  the  covered  entity  is  disclosing  protected 
°/„health  to  a  business  associate.  An  entity  is  a  business  associate  of  some 
/.covered  entity  if  that  covered  entity  receives  assurance  that  the  BA  will 
/.appropriately  safeguard  the  info  and  act  on  behalf  of  the  covered  entity. 

permitted_by_164_502_e_l_i (A) 
is_phi (A) , 

(  (is_f rom_coveredEntity (A) , 

is_to_businessAssociateOf (A) , 

is_belief _to_lawfulBusinessAssociate(A,  X)) ; 

(is_to_coveredEntity (A) , 
is_f rom_businessAssociateOf (A) , 
is_belief _f rom_lawf ulBusinessAssociate (A ,  X) ) 

), 

(is_f or_createProtectedHealthInf o (A) ; 
is_f or_receiveProtectedHealthInf o (A) ) , 
writeln(’HIPAA  rule  164_502_e_l_i ; ’ ) . 

We  have  the  norm: 

/,i64.502eii  —  activerole(pi ,  covered- entity)  A 

activerole(p25  business-associate{p\ ))  A 
(' t  Gy  phi)  A 

satisfactory-assurances- will-safeguard- info(pi,p2,  (q,  t),  u) 

where  the  newly  introduced  predicate  satisfactory-assurances-will-safeguard-info  is  defined  as  a 
macro  in  §164. 502(e)(2). 

164.502(e)  (l)(ii) 

This  standard  does  not  apply: 

excluded_164_502_e_l_ii (A) 
excluded_164_502_e_l_ii_a(A) ; 
excluded_164_502_e_l_ii_b(A) ; 
excluded_164_502_e_l_ii_c (A) . 

We  have  no  corresponding  norm,  as  these  exceptions  were  captured  in  §164. 502(e). 

164.502  (e)(l)(ii)  (A) 

With  respect  to  disclosures  by  a  covered  entity  to  a  health  care  provider  concerning 
the  treatment  of  the  individual; 

excluded_164_502_e_l_ii_a(A) 
is_about_individual (A) , 
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is_to_healthCareProvider (A) , 
is_f or_treatment (A) , 
is_from_coveredEntity (A) , 
writeln( ’HIPAA  rule  164_502_e_l_ii_a; ’ ) . 

We  have  the  exception: 

V:,i64.502eiiiA  —  -,(activerole(pi ,  covered- entity)  A 
activerole(p2i  provider (q))  A 
(u  treatment )) 

164.502(e)  (l)(ii)(B) 

With  respect  to  disclosures  by  a  group  health  plan  or  a  health  insurance  issuer  or 
HMO  with  respect  to  a  group  health  plan  to  the  plan  sponsor,  to  the  extent  that  the 
requirements  of  16f.50f(f)  apply  and  are  met;  or 

excluded_164_502_e_l_ii_b(A)  :- 
%to  plan  sponsor 

(is_from_healthInsurance Issuer (A) ; 

is_f rom_groupHealthPlan(A) ) , 
permitted_by_164_504_f (A) , 
writeln(’ HIPAA  rule  164_502_e_l_ii_b; ’ ) . 

*/.  "with  respect  to  a  group  health  plan"  could  be 

%  represented  by  storing  group  health  plan  in  type  or  purpose? 

We  have  the  exception: 

^i64.502eiiiB  —  -,((3p/1.  activerol e(p'1,  group-health-plan)  A 

((Pi  =  Pi)  v 

activerole(pi,  health-insurance-issuer (p'i))  V 
activerolefpi ,  HMO(p'1 )))  A 
activerole(p2j  sponsor{p,1)))  A 

P 164. 504f ) 

To  capture  “to  the  extent  that  the  requirements  of  §164. 504(f)  apply  and  are  met,”  we  include 

P 164. 504f  * 

164.502(e)  (l)(ii)(C) 

With  respect  to  uses  or  disclosures  by  a  health  plan  that  is  a  government  program  pro¬ 
viding  public  benefits,  if  eligibility  for,  or  enrollment  in,  the  health  plan  is  determined  by 
an  agency  other  than  the  agency  administering  the  health  plan,  or  if  the  protected  health 
information  used  to  determine  enrollment  or  eligibility  in  the  health  plan  is  collected 
by  an  agency  other  than  the  agency  administering  the  health  plan,  and  such  activity  is 
authorized  by  law,  with  respect  to  the  collection  and  sharing  of  individually  identifiable 
health  information  for  the  performance  of  such  functions  by  the  health  plan  and  the 
agency  other  than  the  agency  administering  the  health  plan. 
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/.enrollment  information  is  collected  by  the  government  agency. 

% (incomplete)  lot  of  insurance  stuff 
excluded_164_502_e_l_ii_c (A) 

is_f rom_governmentAgencyHealthPlan(A) , 
writeln(’HIPAA  rule  164_502_e_l_ii_c ; ’ ) . 

We  have  the  exception: 

/h64.502eiiic  -  -'(activerole(pi,  agency )  A 

activerole(p2i  government-health-plan )  A 
ih(P2  =Pi)  A 

determines-eligibility-enrollment (p\,p2))  V 

-leligibility-enrollment-info-collected-byfj^))  A 

(u  determine- eligibility- enrollment)) 

164.502(e)(l)(iii) 

A  covered  entity  that  violates  the  satisfactory  assurances  it  provided  as  a  business 
associate  of  another  covered  entity  will  be  in  noncompliance  with  the  standards,  imple¬ 
mentation  specifications,  and  requirements  of  this  paragraph  and  §164-504(e). 

Because  this  paragraph  appears  to  be  simply  a  statement  of  intent,  we  have  no  norm  here. 

164.502(e)(2) 

A  covered  entity  must  document  the  satisfactory  assurances  required  by  paragraph 
(e)(1)  of  this  section  through  a  written  contract  or  other  written  agreement  or  arrange¬ 
ment  with  the  business  associate  that  meets  the  applicable  requirements  of  §164-504(e). 

We  capture  this  paragraph  using  a  macro  satisfactory-assurances-will-safeguard-info: 

satisfactory-assurances- will-safeguard-info(pi,p2,  (q,t),u)  = 

3ml.  <3>send(y>i ,  P2,  'tn')  A 

is-contract-164.504e(m/,pi,p2,  {q,  t),u) 


164.502(f) 

A  covered  entity  must  comply  with  the  requirements  of  this  subpart  with  respect  to 
the  protected  health  information  of  a  deceased  individual. 

permitted_by_164_502_f (A) 

/.comply  to  subpart  if  individual  dead 
/.  so  basically  dont  care  dead  or  alive, 
fail . 

Similarly  to  the  Datalog  formalization  of  Lam  et  al,  there  will  be  no  norms  that  rely  on 
whether  or  not  an  individual  is  deceased.  Therefore,  living  and  deceased  individuals  will  be  treated 
uniformly,  and  there  is  no  need  for  an  explicit  norm  here. 
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164.502(g) 

permitted_by_164_502_g(A) 
permitted_by_164_502_g_l (A) ; 
permitted_by_164_502_g_2(A) ; 
permitted_by_164_502_g_3(A) ; 
permitted_by_164_502_g_4(A) ; 
permitted_by_164_502_g_5(A) . 

Again,  we  have  no  corresponding  norm  since  the  relevant  norms  will  be  directly  included  when 
they  appear. 

164.502(g)(1) 

As  specified  in  this  paragraph,  a  covered  entity  must,  except  as  provided  in  paragraphs 
(g)(3)  and  (g)(5)  of  this  section,  treat  a  personal  representative  as  the  individual  for 
purposes  of  this  subchapter. 

permitted_by_164_502_g_l (A) 

°/„treat  personal  representative  as  individual  except  by  g-3  ang  g-5. 
fail , 

writeln(’HIPAA  rule  164_502_g_l ; > ) . 

164.502(g)(2) 

If  under  applicable  law  a  person  has  authority  to  act  on  behalf  of  an  individual  who  is 
an  adult  or  an  emancipated  minor  in  making  decisions  related  to  health  care,  a  covered 
entity  must  treat  such  person  as  a  personal  representative  under  this  subchapter,  with 
respect  to  protected  health  information  relevant  to  such  personal  representation. 

permitted_by_164_502_g_2 (A) 

l  should  treat  adult  or  emancipated  minor  in  making  decision  as  individual, 
l  relavant  to  such  personal  representatives. 
is_about_adult (A) , 
msg_about(A,  X), 
personal_representative(X,  Y) , 

(msg_to(A,  Y); 
msg_from(A,  Y)), 

writeln(’HIPAA  rule  164_502_g_2 ; ’ ) . 

Unlike  Lam  et  ai,  we  do  not  choose  to  base  this  clause  around  disclosure.  Instead,  the  clause 
speaks  about  when  a  covered  entity  should  treat  a  principal  as  a  personal  representative.  In  our 
view,  this  is  most  clearly  captured  as  a  constraint  on  when  a  principal  may  act  in  the  role  of  a 
personal  representative: 

has-authority-to-act-on-behalf-healthcare(p,  q )  A 
(belongstorole((/,  adult)  V 
belongstorole(<7,  emancipated-minor ))  =^ 
activerole(p,  personal-representative(q)) 


41 


The  connective  =>  requires  that  the  underlying  implication  hold  in  all  states.  It  effectively  functions 
as  a  constraint  on  our  model.  Also,  the  semantics  of  has-authority-to-act-on-behalf-healthcare  are 
given  by  an  oracle. 

164.502(g)(3) 

permitted_by_164_502_g_3 (A) 

"/.Assuming  there  are  no  applicable  provisions  or  other  applicable  state  laws, 
"/.should  be  allowed  if  3i  and  164.524  allow  it,  and  denied  if  they  deny. 

"/.Else  (when  neither  are  applicable)  the  decision  is  made  by  licensed  health 
"/.professional . 

permitted_by_164_502_g_3_i (A) ; 
permitted_by_164_502_g_3_ii (A) . 

Again,  we  have  no  corresponding  norm;  refer  to  the  following  paragraphs. 

164.502(g)(3)(i) 

If  under  applicable  law  a  parent,  guardian,  or  other  person  acting  in  loco  parentis  has 
authority  to  act  on  behalf  of  an  individual  who  is  an  unemancipated  minor  in  making 
decisions  related  to  health  care,  a  covered  entity  must  treat  such  person  as  a  personal 
representative  under  this  subchapter,  with  respect  to  protected  health  information  rel¬ 
evant  to  such  personal  representation,  except  that  such  person  may  not  be  a  personal 
representative  of  an  unemancipated  minor,  and  the  minor  has  the  authority  to  act  as 
an  individual,  with  respect  to  protected  health  information  pertaining  to  a  health  care 
service,  if: 

(A)  The  minor  consents  to  such  health  care  service;  no  other  consent  to  such  health 
care  service  is  required  by  law,  regardless  of  whether  the  consent  of  another  person 
has  also  been  obtained;  and  the  minor  has  not  requested  that  such  person  be  treated 
as  the  personal  representative; 

(B)  The  minor  may  lawfully  obtain  such  health  care  service  without  the  consent  of  a 
parent,  guardian,  or  other  person  acting  in  loco  parentis,  and  the  minor,  a  court, 
or  another  person  authorized  by  law  consents  to  such  health  care  service;  or 

(C)  A  parent,  guardian,  or  other  person  acting  in  loco  parentis  assents  to  an  agreement 
of  confidentiality  between  a  covered  health  care  provider  and  the  minor  with  respect 
to  such  health  care  service. 

is_guardian(X,  Y) 
parent (X,  Y) ; 
guardian(X,  Y) ; 
loco_parentis(X,  Y) . 

permitted_by_164_502_g_3_i (A) 

7.  relavant  to  such  personal  representatives. 

"/.  about  health  care  services 
is_about_minor (A) , 
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msg_about (A,  X), 

(msg_to(A,  Y); 

msg_from(A, Y) ) , 
is_guardian(X,  Y) , 

\+  (permitted_by_164_502_g_3_i_A(A) , 
permitted_by_164_502_g_3_i_B(A) , 
permitted_by_164_502_g_3_i_C (A) ) , 
writeln( ’HIPAA  rule  164_502_g_3_i ; ’ ) . 

'/.rule  requires  you  to  remove  a  parents  role 
l  as  a  personal  representative  globally  in  the  shh  file. 

%  this  can  be  done  if  the  child  requests  such  or  parent  agrees 

permitted_by_164_502_g_3_i_A(A)  : - 
fail . 

permitted_by_164_502_g_3_i_B(A)  : - 
fail . 

permitted_by_164_502_g_3_i_C(A)  : - 
fail . 

Again,  it  is  our  opinion  that  it  is  incorrect  to  treat  this  HIPAA  clause  as  being  based  around 
disclosures.  We  consider  it  to  be  a  constraint  on  the  conditions  under  which  a  principal  may  act 
as  a  personal  representative: 

(activerole(p,  parent (q))  V 
activerole(p,  guardian(q))  V 
activerole(p,  in-loco-parentis(q )))  A 
belongstorole(g,  unemancipated-minor )  A 
has-authority-to-act-on-behalf-healthcare(p,  q )  =t- 
activerole(p,  personal-representative(q)) 

164.502(g)  (3)  (ii) 

Notwithstanding  the  provisions  of  paragraph  (g)(3)(i)  of  this  section: 

permitted_by_164_502_g_3_ii (A)  : - 
permitted_by_164_502_g_3_ii_A(A) ; 
permitted_by_164_502_g_3_ii_B (A) ; 
permitted_by_164_502_g_3_ii_C(A) . 

Again,  we  have  no  corresponding  norm. 

164.502(g)  (3)  (ii)  (A) 

If,  and  to  the  extent,  permitted  or  required  by  an  applicable  provision  of  State  or 
other  law,  including  applicable  case  law,  a  covered  entity  may  disclose,  or  provide  access 
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in  accordance  with  § 164-524  to,  protected  health  information  about  an  unemancipated 
minor  to  a  parent,  guardian,  or  other  person  acting  in  loco  parentis; 

permitted_by_164_502_g_3_ii_A(A)  : - 

l  covered  entity  may  send  to  guardian  based  on  applicable  law 
fail , 

writelnC’HIPAA  rule  164_502_g_3_ii_A; ’ ) . 

°/0add  if  permitted  by  any  othe  sepcified  by  laws 

9Ji64.502g3iiA  —  activerole(pi ,  covered- entity)  A 
(activerole(p25  parent (q))  V 
activerole(p25  guardian (q))  V 
activerole(p2,  in-loco-parentis(q)))  A 
(t  67-  phi)  A 

permitted-by-other-law(pi,p2,  (q,  t),u) 

164.502(g)  (3)  (ii)(B) 

If,  and  to  the  extent,  prohibited  by  an  applicable  provision  of  State  or  other  law, 
including  applicable  case  law,  a  covered  entity  may  not  disclose,  or  provide  access  in  ac¬ 
cordance  with  § 164-524  to,  protected  health  information  about  an  unemancipated  minor 
to  a  parent,  guardian,  or  other  person  acting  in  loco  parentis;  and 

permitted_by_164_502_g_3_ii_B(A)  : - 

*/.  covered  entity  may  NOT  send  to  guardian  based  on  applicable  law 
fail , 

writelnC’HIPAA  rule  164_502_g_3_ii_B ; ’ ) . 

9Ji64.502g3iiB  —  -,(activerole(pi ,  covered- entity)  A 
(activerole(p2, parent (q))  V 
activerole(p25  guardian (q))  V 
activerole(p25  in-loco-parentis(q)))  A 
(t  £7-  phi)  A 

prohibited- by-other-law (pi,p2,  (q,  t),u)) 

164. 502(g)  (3)  (ii)(C) 

Where  the  parent,  guardian,  or  other  person  acting  in  loco  parentis,  is  not  the  per¬ 
sonal  representative  under  paragraphs  (g)(3)(i)(A),  (B),  or  (C)  of  this  section  and  where 
there  is  no  applicable  access  provision  under  State  or  other  law,  including  case  law,  a 
covered  entity  may  provide  or  deny  access  under  §164-. 5 24  t°  a  parent,  guardian,  or  other 
person  acting  in  loco  parentis,  if  such  action  is  consistent  with  State  or  other  applicable 
law,  provided  that  such  decision  must  be  made  by  a  licensed  health  care  professional,  in 
the  exercise  of  professional  judgment. 
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permitted_by_164_502_g_3_ii_C(A)  : - 

*/.  will  add  one  more  rule  representing  personal  representative  in  add.  to  guardian 
%if  personal  rep  ties  are  broken,  then 

*/.  licensed  medical  practioner  may  send  based  on  professional  judgement 
fail , 

writeln( ’HIPAA  rule  164_502_g_3_ii_C; ’ ) . 

We  have  no  corresponding  norm  here.  This  will  be  handled  by  the  allow  and  deny  rules  in 
§164.524. 

164.502(g)(4) 

If  under  applicable  law  an  executor,  administrator,  or  other  person  has  authority 
to  act  on  behalf  of  a  deceased  individual  or  of  the  individual’s  estate,  a  covered  entity 
must  treat  such  person  as  a  personal  representative  under  this  subchapter,  with  respect 
to  protected  health  information  relevant  to  such  personal  representation. 

permitted_by_164_502_g_4(A) 

is_about_deceasedIndividual (A) , 
msg_about(A,  X), 
personal_representative (X,  Y) , 

(msg_to(A,  Y); 
msg_from(A,  Y)), 

writeln(’ HIPAA  rule  164_502_g_4; ’ ) . 

Again,  we  treat  this  clause  as  specifying  a  constraint  on  when  a  principal  may  be  considered  a 
personal  representative,  rather  than  a  disclosure-based  clause: 

(activerole(p,  executor )  V 
activerole(p,  administrator )  V 
T)  A 

belongstorole(g,  deceased)  A 

has-authority-to-act-on-behalf-healthcare(p,  q)  =4- 
activerole(p,  personal-representative(q)) 

164.502(g)(5) 

Notwithstanding  a  State  law  or  any  requirement  of  this  paragraph  to  the  contrary, 
a  covered  entity  may  elect  not  to  treat  a  person  as  the  personal  representative  of  an 
individual  if: 

(i)  The  covered  entity  has  a  reasonable  belief  that: 

(A)  The  individual  has  been  or  may  be  subjected  to  domestic  violence,  abuse,  or 
neglect  by  such  person;  or 

(B)  Treating  such  person  as  the  personal  representative  could  endanger  the  indi¬ 
vidual;  and 
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(ii)  The  covered  entity,  in  the  exercise  of  professional  judgment,  decides  that  it  is  not 
in  the  best  interest  of  the  individual  to  treat  the  person  as  the  individual ’s  personal 
representative. 

permitted_by_164_502_g_5(A) 
permitted_by_164_502_g_5_i (A) ; 
permitted_by_164_502_g_5_ii (A) . 

permitted_by_164_502_g_5_i (A) 
msg_about (A,  X), 
msg_to(A,  Y), 

%is_belief_dangerousRepresentative(X,  Y) . 
fail , 

writeln(’HIPAA  rule  164_502_g_5_i ; ’ ) . 

permitted_by_164_502_g_5_ii (A)  : - 

%is_belief _notBestInterestOf Individual (X,  Y) . 
fail , 

writeln(’HIPAA  rule  164_502_g_5_ii ; ’ ) . 

We  have  the  constraint: 

believes-has-been-or-may-be-subject-of-abuse-from((7,  p)  A 
believes-treating-as-personal-representative-dangerous(p,  q)  A 
professional-judgment-treating-as-personal-representative-not-best-interest(p,  q )  =4> 
activerole(p,  personal-representative(q)) 

The  predicates  in  this  formalization  rely  on  oracles  for  their  semantics. 

At  this  point,  we  have  seen  all  of  the  clauses  from  paragraph  §  164.502(g),  and  have  given  their 
formalizations  as  constraints  on  when  a  principal  may  act  as  a  personal  representative.  Our  inter¬ 
pretation  is  that  §164. 502(g)  operates  under  a  kind  of  closed-world  assumption:  these  are  sufficient 
and  necessary  conditions  for  a  principal  to  act  as  a  personal  representative.  Therefore,  we  replace 
the  earlier  constraints  with  one  large  constraint  that  is  an  equivalence.  Since  it  is  an  equivalence, 
we  can  now  treat  it  as  a  macro  definition: 

activerole(p,  personal-representative(q ))  = 

(((belongstorole(g,  adult)  V 

belongstorole(g,  emancipated-minor ))  A 
has-authority-to-act-on-behalf-for-healthc,are(p,  q))  V 
((activerol e(p,  parent)  V 
activerole(p,  guardian)  V 
activerole(p,  in-loco-parentis))  A 
belongstorole(g,  unemancipated-minor)  A 
has-authority-to-act-on-behalf-for-healthcare(p,  q))  V 
((activerole(p,  executor)  V 
activerole(p,  administrator)  V 
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T)  A 

belongstorole(g,  deceased)  A 

has-authority-to-act-on-behalf-for-healthcare(p,  q)))  A 
-•((believes- victim-of-abuse-by(</, p)  V 

believes- treating- as-personal-representative-is-dangerousfjj,  q))  A 
professional-)  udgment-treatmg-as-personal-representative-not-in-best-interest(p,  q)) 

Unfortunately,  there  does  not  appear  to  be  a  cleaner  way  of  combining  the  individual  sufficient 
constraints  from  the  subparagraphs  of  §  164.502(g)  in  a  way  that  they  are  also  necessary. 

164.502(h) 

A  covered  health  care  provider  or  health  plan  must  comply  with  the  applicable  re¬ 
quirements  of  §164. 522(b)  in  communicating  protected  health  information. 

permitted_by_164_502_h(A) 

(is_from_healthCareProvider (A) ; 
is_f rom_healthPlan(A) ) , 
is_phi (A) , 

permitted_by_164_522_b(A) , 
writelnC’HIPAA  rule  164_502_h; ’ ) . 

We  have  no  norms  for  §164. 502(h);  the  requirements  will  be  satisfied  on  the  basis  of  norms  from 
§164. 522(b). 

164.502(i) 

A  covered  entity  that  is  required  by  § 164-520  to  have  a  notice  may  not  use  or  disclose 
protected  health  information  in  a  manner  inconsistent  with  such  notice.  A  covered  entity 
that  is  required  by  §164-520(b)(l)(iii)  to  include  a  specific  statement  in  its  notice  if  it 
intends  to  engage  in  an  activity  listed  in  §164-520 (b)(1) (Hi) (A)-(C),  may  not  use  or 
disclose  protected  health  information  for  such  activities,  unless  the  required  statement 
is  included  in  the  notice. 

permitted_by_164_502_i (A) 

debug! ’  160 . _502_i :  not  implemeted  disclosure  with  notice 

Again,  we  have  no  corresponding  norm  since  the  relevant  norms  will  be  introduced  by  section 
§164.520. 

164.502(j) 

permitted_by_164_502_j (A) 
permitted_by_164_502_j_l (A) ; 
permitted_by_164_502_j_2(A) . 

We  have  no  directly  corresponding  norm.  The  positive  norms  from  (j)(l)  and  (2)  will  be  inserted 
at  the  top  level. 


47 


164.502(j)(l) 

A  covered  entity  is  not  considered  to  have  violated  the  requirements  of  this  subpart  if 
a  member  of  its  workforce  or  a  business  associate  discloses  protected  health  information, 
provided  that: 

(i)  The  workforce  member  or  business  associate  believes  in  good  faith  that  the  covered 
entity  has  engaged  in  conduct  that  is  unlawful  or  otherwise  violates  professional  or 
clinical  standards,  or  that  the  care,  services,  or  conditions  provided  by  the  covered 
entity  potentially  endangers  one  or  more  patients,  workers,  or  the  public;  and 

(ii)  The  disclosure  is  to: 

(A)  A  health  oversight  agency  or  public  health  authority  authorized  by  law  to  in¬ 
vestigate  or  otherwise  oversee  the  relevant  conduct  or  conditions  of  the  covered 
entity  or  to  an  appropriate  health  care  accreditation  organization  for  the  pur¬ 
pose  of  reporting  the  allegation  of  failure  to  meet  professional  standards  or 
misconduct  by  the  covered  entity;  or 

(B)  An  attorney  retained  by  or  on  behalf  of  the  workforce  member  or  business 
associate  for  the  purpose  of  determining  the  legal  options  of  the  workforce 
member  or  business  associate  with  regard  to  the  conduct  described  in  paragraph 
(j)(l)(i)  of  this  section. 

permitted_by_164_502_j_l(A) 

(is_from_employeeOf (A,  Y) ; 
is_f rom_businessAssociateOf (A,  Y) ) , 
permitted_by_164_502_j_l_i(A,  Y) , 
permitted_by_164_502_j_l_ii(A,  Y) . 

permitted_by_164_502_j_l_i(A,  Y) 

^basically  this  belief  includes  "they  believe  in  good  faith 

l  that  the  covered  Entity  has  engaged  in  conduct 

*/.  that  is  unlawful  or  otherwise  violates  professional 

*/.  or  clinical  standards,  or  that  the  care, 

l  services  or  conditions  provided  by  covered  entity 

l  potentially  endangers  one  or  more  patients, 

l  workers  or  the  public" 

is_belief _from_unlawfulCoveredEntity (A,  Y) , 
writelnC’HIPAA  rule  164_502_j_l_i;  ’ ) . 

permitted_by_164_502_j_l_ii(A,  Y) 
permitted_by_164_502_j_l_ii_A(A,  Y) ; 
permitted_by_164_502_j_l_ii_B(A,  Y) . 

permitted_by_164_502_j_l_ii_A(A,  Y) 
is_to_healthOversightAgency (A) ; 

(is_to_publicHealthAuthority (A) , 
is_f or_investigation(A) ) ; 

(is_to_healthCareAccreditationOrganization(A) , 
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is_f or_standardsFailureMisconduct (A,  Y)) , 
writelnC’HIPAA  rule  164_502_j_l_ii_A; ’ ) . 

permitted_by_164_502_j_l_ii_B(A,  Y) 
is_to_legalAttorney (A) , 
is_f or_determiningLegalOptions (A) , 

%is_belief _from_unlawfulCoveredEntity(A,  Y) , 
writelnC’HIPAA  rule  164_502_j_l_ii_B; ’ )  . 

We  have: 

^164 . 502 j  1  —  .  belongstorole^,  covered- entity)  A 

(activerole(pi,  workforce-member  (p[))  V 
activerole(pi,  business-associate (p^)))  A 
believes-unlawful-unethical-or-dangerous(pi ,  p\ )  A 
(((activerole(p2,  oversight-agency )  V 

activerole(p2,  public-health- authority))  A 
authorized-by-law-to-investigate- allegations^,  (pi, Pi)))  V 
(activerole(p2i  healthcare- accreditation- organization)  A 
(it  report-unethical- conduct- allegations (pi,^)))  V 

(activerole(p2i  attorney  (pi))  A 
(it  determine-legal- options (pi,p'i))))  A 

(i  Gr  phi) 

164.502(j)(2) 

d  covered  entity  is  not  considered  to  have  violated  the  requirements  of  this  subpart  if 
a  member  of  its  workforce  who  is  the  victim  of  a  criminal  act  discloses  protected  health 
information  to  a  law  enforcement  official,  provided  that: 

(i)  The  protected  health  information  disclosed  is  about  the  suspected  perpetrator  of  the 
criminal  act;  and 

(ii)  The  protected  health  information  disclosed  is  limited  to  the  information  listed  in 
§164-51 2(f )  (2)  (i). 

permitted_by_164_502_j_2(A) 
is_from_employeeOf (A,  Y)  , 

is_belief _from_employeeVictimOf CriminalAct (A,  Y) , 
is_to_lawEnf orcementOf f icer (A) , 
is_phi (A) , 

permitted_by_164_502_j_2_i(A) , 
permitted_by_164_502_j_2_ii(A) , 
writelnC’HIPAA  rule  164_502_j_2; > )  . 

permitted_by_164_502_j_2_i(A) 

is_about_suspectedCrimePerpetrator (A) . 
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permitted_by_164_502_ j _2_ii (A)  : - 
permitted_by_164_512_f _2_i (A) . 

We  have  the  following  positive  norm,  where  info-164-512f2i  is  an  attribute  that  contains  all 
possible  attributes  specified  in  §164.512(f)(2)(i): 

164. 502 j 2  —  3c.  (3p\ .  belongstorole^,  covered- entity)  A 

belongstorole(y»i,  workforce-member  (p^)))  A 
activerole(pi,  victim- of- crime(c))  A 
activerole(p2,  law- enforcement- official)  A 
belongstorole(g,  suspected-perpetrator(c))  A 
(t  GT  info-1 64-51 2f2i ) 

4.3  §164.506  Uses  and  disclosures  to  carry  out  treatment,  pay¬ 

ment,  or  health  care  operations. 

7o%Uses  and  disclosures  to  carry  out  treatment,  payment  or  health  care  operations. 
permitted_by_164_506 (A) 
permitted_by_164_506_a(A) ; 
permitted_by_164_506_b(A) ; 
permitted_by_164_506_c(A)  . 

We  have  no  corresponding  norm.  Instead,  all  norms  from  §164.506  are  installed  as  top-level 
positive  norms. 

164.506(a) 

Except  with  respect  to  uses  or  disclosures  that  require  an  authorization  under  sections 
164-508(a)(2)  and  (3),  a  covered  entity  may  use  or  disclose  protected  health  informa¬ 
tion  for  treatment,  payment,  or  health  care  operations  as  set  forth  in  paragraph  (c) 
of  this  section,  provided  that  such  use  or  disclosure  is  consistent  with  other  applicable 
requirements  of  this  subpart. 

permitted_by_164_506_a(A) 

°/0Standard  permitted  uses  and  disclosures 
\+  require_authorization_by_164_508(A) , 
is_from_coveredEntity (A) , 
is_f or_eitherPurpose (A) , 
permitted_by_164_506_c (A) , 
writelnC’HIPAA  rule  164_506_a; ’ ) . 

We  have  no  directly  corresponding  norms.  The  relevant  positive  norms  will  be  extracted  from 
paragraph  (c).  The  exception  for  disclosures  that  require  an  authorization  will  be  handled  by  the 
existence  of  negative  norms  for  authorization.  Similarly,  other  applicable  requirements  refer  to 
other  negative  norms. 
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164.506(b) 

164.506(b)(1) 

A  covered  entity  may  obtain  consent  of  the  individual  to  use  or  disclose  protected 
health  information  to  carry  out  treatment,  payment,  or  health  care  operations. 

permitted_by_164_506_b(A) 

*/.  This  consent  is  only  sufficient  if  authorization  is  not 
*/.  required  or  there  is  no  other  condition  before  the  diclosure 
%  that  needs  to  be  met. 
is_f or_eitherPurpose (A) , 
is_consentedby_about (A) . 

We  have  the  following  positive  norm,  where  we  make  crucial  use  of  the  purposes  treatment, 
payment,  and  healthcare- operations: 

99i64.506bi  —  activerole(pi,  covered- entity)  A 

obtained-consent-164.506b(pi,p2,  (q,  t),u )  A 

(t  £7-  phi)  A 
((u  &u  treatment)  V 
( u  payment)  V 

(u  healthcare- operations)) 

Note  that  HIPAA  does  not  explicitly  give  a  description  of  how  a  covered  entity  obtains  an  indi¬ 
vidual’s  consent  under  paragraph  §164. 506(b).  Therefore,  the  obtained-consent-164.506b  predicate 
relies  on  an  oracle  to  provide  its  semantics. 

164.506(b)(2) 

Consent,  under  paragraph  (b)  of  this  section,  shall  not  be  effective  to  permit  a  use 
or  disclosure  of  protected  health  information  when  an  authorization,  under  § 164-508 , 
is  required  or  when  another  condition  must  be  met  for  such  use  or  disclosure  to  be 
permissible  under  this  subpart. 

There  is  no  Datalog  clause  in  Lam  et  aids  formalization  for  this  paragraph. 

We  also  have  no  directly  corresponding  norm.  Instead,  the  use  of  different  predicates  for  consent 
and  authorization  and  the  fact  that  authorization  is  handled  by  negative  norms  ensure  that  the 
distinction  between  consent  and  authorization  is  preserved. 

164.506(c) 

permitted_by_164_506_c (A) 

^Implementation  Specification 
permitted_by_164_506_c_l (A) ; 
permitted_by_164_506_c_2(A) ; 
permitted_by_164_506_c_3(A) ; 
permitted_by_164_506_c_4(A) ; 
permitted_by_164_506_c_5(A) . 
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We  have  no  corresponding  norm.  Instead,  the  norms  from  the  following  subparagraphs  are 
installed  as  positive  norms  at  the  top-level. 

164.506(c)(1) 

A  covered  entity  may  use  or  disclose  protected  health  information  for  its  own  treat¬ 
ment,  payment,  or  health  care  operations. 

permitted_by_164_506_c_l (A) 
is_f or_eitherPurpose (A) , 
is_phi (A) , 

is_msg_to_within(A) . 

We  have  the  positive  norm: 

W"64.506ci  —  activerole(pi,  covered- entity)  A 
( t  £j-  phi)  A 
((u  £u  treatment  (pi))  V 
(u  payment  (pi))  V 
(u  healthcare- operations  (pi))) 

where  the  purposes  are  now  parameterized  by  p\ ,  indicating  that  the  purpose  is  the  covered  entity’s 
own  treatment,  payment,  or  health  care  operations. 

This  norm  brings  up  a  interesting  point  of  difference  with  the  Datalog  formalization  of  Lam  et 
al.  The  Datalog  implementation  requires  that  the  disclosure  is  made  within  the  covered  entity’s 
organization,  whereas  our  formalization  makes  the  weaker  requirement  that  the  purpose  is  that 
of  the  covered  entity.  It  is  unclear  to  us  which  of  these  interpretations  is  correct.  The  stronger 
requirement  could  be  formalized  in  our  framework  as: 

activerole(pi,  covered- entity)  A 
activerole(p2j  organization-member  (pi))  A 
(: t  £7-  phi)  A 
(( u  £u  treatment)  V 
(■ u  £u  payment)  V 
(u  healthcare- operations)) 

164.506(c)(2) 

A  covered  entity  may  disclose  protected  health  information  for  treatment  activities 
of  a  health  care  provider. 

permitted_by_164_506_c_2 (A)  :- 
is_f or_treatment (A) , 
is_phi (A) , 

is_to_healthCareProvider (A) . 

We  interpret  this  paragraph  as  implicitly  requiring  that  the  provider  is  a  provider  of  the  subject 
q  (so  that  providers  cannot  learn  information  about  strangers)  and  that  the  specified  provider  is 
actually  the  recipient.  Therefore,  we  render  this  clause  as: 
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¥’i64.506c2  —  activerole(pi,  covered- entity)  A 
activerole(p2,  provider(q))  A 
(t  £j-  phi)  A 
(u  &u  treatment (P2)) 

164.506(c)(3) 

A  covered  entity  may  disclose  protected  health  information  to  another  covered  en¬ 
tity  or  a  health  care  provider  for  the  payment  activities  of  the  entity  that  receives  the 
information. 

permitted_by_164_506_c_3(A) 
is_f or_payment (A) , 
is_phi (A) , 

(is_to_healthCareProvider  (A) ; 
is_to_coveredEntity (A) ) . 

We  interpret  this  clause  as  implicitly  requiring  that  the  provider  be  a  provider  of  the  subject  q. 
Therefore,  we  have  the  norm: 

^i64.506c3  —  activerole(pi,  covered- entity)  A 
(activerole(p2,  covered- entity)  V 
activerole(p2>  provider (q)))  A 
(t  £7-  phi)  A 
(u  payment (P2)) 

164.506(c)(4) 

A  covered  entity  may  disclose  protected  health  information  to  another  covered  entity 
for  health  care  operations  activities  of  the  entity  that  receives  the  information,  if  each 
entity  either  has  or  had  a  relationship  with  the  individual  who  is  the  subject  of  the 
protected  health  information  being  requested,  the  protected  health  information  pertains 
to  such  relationship,  and  the  disclosure  is: 

(i)  For  a  purpose  listed  in  paragraph  (1)  or  (2)  of  the  definition  of  health  care  opera¬ 
tions;  or 

(ii)  For  the  purpose  of  health  care  fraud  and  abuse  detection  or  compliance. 

permitted_by_164_506_c_4(A) 

%writeln( ’ HIPAA  rule  164. 506. c. 4:  How  to  ensure  that  its  a 

%diff  covered  entitiy?  information  pertains  to  that  relation') , 

is_from_coveredEntity (A) , 

is_to_coveredEntity (A) , 

is_f or_healthCareOperations (A) , 

%pertains_to (A) , 

is_belief _f rom_about_pertainingToRelationship (A) , 
is_msg_about_to_inRelation(A) . 

%satisf y_164_506_c_4 (A) . 
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satisfy_164_506_c_4(A) 

7o%Purpose  has  to  be  health  care  operations  along  with  the  ones  below. 

"/^Currently  not  working  as  you  need  a  list  of  purposes.  Right  now  it’s 
°/07ojust  one  purpose. 

permitted_by_164_506_c_4_i (A) ; 
permitted_by_164_506_c_4_ii (A) . 

permitted_by_164_506_c_4_i (A) 

debug ( ’ 164. 506 . c . 4. i :  Could  not  figure  out  this  para;’), 
is_f or_def initionOfHealthCareOperations (A) . 

permitted_by_164_506_c_4_ii (A)  : - 

is_f or_healthCareFraudAbuseDetection(A) ; 
is_f or_compliance (A) . 

We  have  the  norm: 

7,i64.506c4  —  activerole(pi,  covered- entity)  A 
activerole(y>2i  covered- entity)  A 
(t  Gy  phi)  A 

(Bryrel.  <3>inrelationship(pi,  n,  q)  A 
pertains-to(f,  ?’i))  A 
(3r2:rel.  ^inrelationship(p2,  rz,  q)  A 
pertains-to(t,  ?’2))  A 

((u  Gw  healthcare- operations-paras- 1-2 (P2))  V 
(u  Gw  healthcare-fraud-abuse-detection)  V 
(u  Gw  healthcare-fraud-abuse-compliance)) 

We  introduce  a  new  sort  rel  for  abstract  relationships  and  a  predicate  inrelationship  to  judge  when 
a  relationship  holds.  Although  this  is  very  similar  to  our  notion  of  parameterized  roles,  technically, 
it  is  not  quite  the  same.  This  clause  requires  us  to  existentially  quantify  over  a  relationship.  This 
cannot  be  done  if  parameterized  roles  are  taken  as  the  notion  of  relationship,  since  that  would  mean 
quantifying  over  function  symbols.  The  need  to  add  a  distinct  notion  of  relationship  is  somewhat 
disappointing. 

164.506(c)(5) 

A  covered  entity  that  participates  in  an  organized  health  care  arrangement  may  dis¬ 
close  protected  health  information  about  an  individual  to  another  covered  entity  that 
participates  in  the  organized  health  care  arrangement  for  any  health  care  operations 
activities  of  the  organized  health  care  arrangement. 

7.  Create  organizations  for  each  organization  and  have  global  rules  that 
7o  link  each  member  to  the  organization.  Then  just  confirm  that  from  and  to 
7o  are  part  of  same  organization  and  the  purpose  is  the  organization's 
7«purpose 


54 


permitted_by_164_506_c_5 (A) 

debug (’ 164. 506_c_5:  Not  Implemented  yet;’). 

We  have  the  norm: 

^i64.506c5  —  belongstorole(p,  organized-healthcare- arrangement)  A 
activerole(pi,  covered- entity )  A 
activerole(pi,  participant  (jp))  A 
activerole(p2j  covered- entity)  A 
activerole(y>2,  participant (p))  A 
(t  Gy  phi)  A 

(tt  healthcare- operations  (p)) 


4.4  §164.508  Uses  and  disclosures  for  which  an  authorization  is 

required. 

Lam  et  aids  Datalog  formalization  does  not  cover  §164.508: 

°/0°/0  Uses  and  disclosures  for  which  authorization  is  required. 

%should  check  if  all  valid  authorizations  have  been  obtained 
require_authorization_by_164_508 (A)  : - 

debug (’ 164.508:  TBD  no  authorizations  required,  returns  true;’). 

164.508(a) 

164.508(a)(1) 

Except  as  otherwise  permitted  or  required  by  this  subchapter,  a  covered  entity  may 
not  use  or  disclose  protected  health  information  without  an  authorization  that  is  valid 
under  this  section.  When  a  covered  entity  obtains  or  receives  a  valid  authorization  for 
its  use  or  disclosure  of  protected  health  information,  such  use  or  disclosure  must  be 
consistent  with  such  authorization. 

We  have  no  norms  for  §164. 508(a)(1),  since  we  interpret  this  paragraph  as  a  statement  of  intent, 
rather  than  a  statement  of  implementation  specification. 

164.508(a)(2) 

Notwithstanding  any  provision  of  this  subpart,  other  than  the  transition  provisions 
in  § 164-532 ,  a  covered  entity  must  obtain  an  authorization  for  any  use  or  disclosure  of 
psychotherapy  notes,  except: 

(i)  To  carry  out  the  following  treatment,  payment,  or  health  care  operations: 

(A)  Use  by  the  originator  of  the  psychotherapy  notes  for  treatment; 

(B)  Use  or  disclosure  by  the  covered  entity  for  its  own  training  programs  in  which 
students,  trainees,  or  practitioners  in  mental  health  learn  under  supervision  to 
practice  or  improve  their  skills  in  group,  joint,  family,  or  individual  counseling; 
or 
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(C)  Use  or  disclosure  by  the  covered  entity  to  defend  itself  in  a  legal  action  or  other 
proceeding  brought  by  the  individual;  and 

(ii)  A  use  or  disclosure  that  is  required  by  §16f. 502(a)  (2)(ii)  or  permitted  by  §164- 512(a); 
§164- 512(d)  with  respect  to  the  oversight  of  the  originator  of  the  psychotherapy 
notes;  1164.512(g)(1);  or  §164.512(j)(l)(i). 

The  core  of  this  paragraph  is  given  by  the  following  negative  norm: 

V9i64.508a2  —  activerole(pi ,  covered- entity)  A 
(' t  G7-  psychotherapy-notes )  D 

obtained-authorization-164. 508(pi,  p%,  ( q ,  t),u ) 

This  negative  norm  is  then  given  several  exceptions,  resulting  in  the  new  negative  norm: 

—  A  -  w 

<^164.508a2'  —  ^164.508a2  V 

(P  164  . 508a2iB  ^ 

P 164. 508a2ic)  V 

P 164 . 508a2ii 

These  positive  exception  norms  are  given  by  the  following.  First,  note  that  §164.508(a)(2)(i)(A) 
applies  only  to  uses  of  the  psychotherapy  notes,  not  disclosures.  Since  we  handle  only  disclosures 
in  our  formalization,  we  ignore  this  exception. 

Second,  we  have  an  exception  for  §  164.508(a) (2)  (i)(B): 

VJi64.508a2iB  —  activerole(pi ,  covered- entity)  A 

(u  £u  counseling-training-programs  (pi)) 

Note  that  the  purpose  counseling-training-programs{p\)  is  parameterized  by  pi  to  ensure  that  the 
programs  are  run  by  the  covered  entity  that  obtained  the  authorization. 

Third,  we  have  an  exception  for  §  164.508(a)  (2) (i)(C): 

V9i64.508a2ic  —  activerole(pi ,  covered- entity)  A 

(u  £u  defense-in-legal-proceeding  (pi,  q)) 

Again,  we  parameterize  the  purpose  to  ensure  that  the  proceeding  is  being  brought  against  pi  by 
<?• 

Finally,  §164. 508(a)(2)(h): 

+  A  +  \/ 

P 164.508a2ii  —  ^164 . 502a2ii  V 

(Viei64.512a  Pi  )  V 

(Viei64.512d  Pi  )  ^ 

P 164 . 512gl  V 

P 164 . 512j li 

164.508(a)(3) 

164.508(a)(3)(i) 
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Notwithstanding  any  provision  of  this  subpart,  other  than  the  transition  provisions 
in  § 164-532 ,  a  covered  entity  must  obtain  an  authorization  for  any  use  or  disclosure  of 
protected  health  information  for  marketing,  except  if  the  communication  is  in  the  form 

of: 

(A)  A  face-to-face  communication  made  by  a  covered  entity  to  an  individual;  or 

(B)  A  promotional  gift  of  nominal  value  provided  by  the  covered  entity. 

In  a  manner  similar  to  that  of  the  previous  paragraph  on  psychotherapy  notes,  we  handle  the 
core  of  this  paragraph  with  a  negative  norm. 

^i64.508a3i  —  activerole(pi ,  covered- entity)  A 
(' t  £j-  phi )  A 
( u  marketing)  D 

obtained-authorization-164.508(pi,p2>  (q,  t),  u) 

This  negative  norm  has  several  exceptions: 

—  A  -  w 

^164.508a3i'  —  V:,164.508a3i  V 

P 164. 508a3iA  V 

P 164. 508a3iB 

These  exceptions  are  given  by  the  following  positive  norms.  First,  §164.508(a)(3)(i)(A): 

9Ji64.508a3iA  —  activerole(pi ,  covered- entity)  A 
( V2  ~  q)  A 

face-to-face(pi,]?2,  (q,  t),u) 

Here  we  use  a  new  predicate,  face-to-face,  to  ensure  that  the  disclosure  is  a  face-to-face  communi¬ 
cation.  The  semantics  of  this  predicate  are  given  by  an  oracle. 

Second,  we  have  an  exception  for  §164.508(a)(3)(i)(B): 

VJi64.508a3iB  —  activerole(pi ,  covered- entity)  A 

promotional-gift-of- nominal- value(pi,p2j  (<Z,  t),  u) 

Again,  we  rely  on  an  oracle  to  provide  semantics  for  the  new  promotional-gift-of-nominal-value 
predicate. 

164.508(a)  (3)  (ii) 

If  the  marketing  involves  direct  or  indirect  remuneration  to  the  covered  entity  from 
a  third  party,  the  authorization  must  state  that  such  remuneration  is  involved. 

We  have  the  following  constraint,  which  is  captured  as  a  macro: 

is-valid-authorization-164.508a3ii(?n/,pi,p2,  (q,t),u)  = 

(u  marketing)  A 

(involves- remuneration^!, p2,  (q,t),u)  D 

states-remuneration-involvement  (ml ,  pi ,  pi ,  (q,  t) ,  u) ) 

This  macro  captures  a  validity  condition  on  authorizations,  and  is  of  a  different  flavor  than  the 
previous  parts  of  this  paragraph,  §  164.508(a) (3). 
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164.508(b) 

At  this  point,  we  formalize  what  it  means  to  obtain  an  authorization.  Although  not  explicitly 
stated  in  the  law,  it  seems  reasonable  to  include  the  following  macro  as  the  means  of  obtaining  an 
authorization: 

obtained-authorization-164.508(pi  ,p2,  ( q,t),u )  = 

3m'.  <$>send(g,pi,  m')  A 

is- valid-authorization^',  pi,p2,  (q,  t),u) 

Based  on  paragraphs  §164. 508(b)(1)  and  (2),  an  authorization  is  valid  if  it  is  valid  under 
§164. 508(b)(1)  and  not  defective  under  §164. 508(b)(2): 

is-valid-authorization(m',pi,p2,  (<?,  t),u)  = 

is-valid-authorization-164.508bl(?7i/,pi,p2,  ( q,t),u )  A 
-ds-defective-authorization-164.508b2(m/,pi,p2,  (<?,  t),  u ) 

Unfortunately,  this  has  the  distinct  disadvantage  of  not  adhering  to  the  structure  of  the  legal  text. 
However,  there  does  not  appear  to  be  a  clean  solution  that  also  adheres  to  the  structure  of  the  text. 

164.508(b)(1) 


(i)  A  valid  authorization  is  a  document  that  meets  the  requirements  in  paragraphs 
(a)(3)(H),  (c)(1),  and  (c)(2)  of  this  section,  as  applicable. 

(ii)  A  valid  authorization  may  contain  elements  or  information  in  addition  to  the  ele¬ 
ments  required  by  this  section,  provided  that  such  additional  elements  or  informa¬ 
tion  are  not  inconsistent  with  the  elements  required  by  this  section. 

is-valid-authorization-164.508bl(m/,pi,p2)  ( q,t),u )  = 

is- valid- authorization- 164. 508a3ii(m/ ,  pi ,  p2 ,  ( q,t),u )  A 
is- valid-authorization- 164. 508cl (mb pi  ,p2,  (q,t),u)  A 
is- valid-authorization-164. 508c2(m/, pi , p2,  ( q,t),u )  A 
is-valid-authorization-164.508c3(m/,pi,p2,  ( q,t),u )  A 
-iinconsistent-authorization(m/,pi,p2,  (q,  t),u ) 

Although  it  is  not  mentioned  in  this  paragraph,  we  have  chosen  to  include  the  additional  constraint 
that  a  valid  authorization  must  meet  the  requirement  in  paragraph  (c)(3).  Without  this  addition, 
paragraph  (c)(3)  appears  to  be  an  orphan.  This  is  probably  just  an  oversight  on  the  part  of  the 
HIPAA  authors. 

164.508(b)(2) 

An  authorization  is  not  valid,  if  the  document  submitted  has  any  of  the  following 
defects: 

(i)  The  expiration  date  has  passed  or  the  expiration  event  is  known  by  the  covered 
entity  to  have  occurred; 

(ii)  The  authorization  has  not  been  filled  out  completely,  with  respect  to  an  element 
described  by  paragraph  (c)  of  this  section,  if  applicable; 
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(in)  The  authorization  is  known  by  the  covered  entity  to  have  been  revoked; 

(iv)  The  authorization  violates  paragraph  (b)(3)  or  (4)  of  this  section,  if  applicable; 

(v)  Any  material  information  in  the  authorization  is  known  by  the  covered  entity  to  be 
false. 

is-defective-authorization-164.508b2(m',pi,p2j  (q,t),u)  — 
expiration-event-passed(m/,pi,p2)  (<?>  t),u)V 
is- incompletely- filled-out-authorizatior^m' ,pi,pr2,  ( q ,  t),u)V 
authorization-has-been-revoked(m/,pi,p2i  (<?,  t),u)V 
violates- 164. 508b3  (rn/ ,p\,P2,  ( q,t),u )  V 
violates- 164. 508b4 (m' ,p\,p2,  ( q,t),u )  V 
contains-information-known-to-be-false(m/,  p\ ) 

Note  that  the  new  predicates  expiration-event-passed,  is-incompletely-filled-out-authorization,  and 
contains-information-known-to-be-false  are  given  semantics  via  oracles.  This  is  because  the  exact 
form  of  authorization  messages  are  not  specified  in  HIPAA.  The  remaining  pieces  of  this  macro  are 
themselves  macros  defined  below. 

164.508(b)(3) 

An  authorization  for  use  or  disclosure  of  protected  health  information  may  not  be 
combined  with  any  other  document  to  create  a  compound  authorization,  except  as  fol¬ 
lows: 

(i)  An  authorization  for  the  use  or  disclosure  of  protected  health  information  for  a 
research  study  may  be  combined  with  any  other  type  of  written  permission  for  the 
same  research  study,  including  another  authorization  for  the  use  or  disclosure  of 
protected  health  information  for  such  research  or  a  consent  to  participate  in  such 
research; 

(ii)  An  authorization  for  a  use  or  disclosure  of  psychotherapy  notes  may  only  be  com¬ 
bined  with  another  authorization  for  a  use  or  disclosure  of  psychotherapy  notes; 

(Hi)  An  authorization  under  this  section,  other  than  an  authorization  for  a  use  or  dis¬ 
closure  of  psychotherapy  notes,  may  be  combined  with  any  other  such  authorization 
under  this  section,  except  when  a  covered  entity  has  conditioned  the  provision  of 
treatment,  payment,  enrollment  in  the  health  plan,  or  eligibility  for  benefits  under 
paragraph  (b)(4)  of  this  section  on  the  provision  of  one  of  the  authorizations. 

violates-164.508b3(?n/,pi,p2,  ((?,£),«)  = 

is-compound-authorization(m/,pi,p2,  (q,t),u)  D 
is-compound-research-authorization(m/,pi,p2)  ( q,t),u )  V 
is-compound-psychotherapy-authorization(m/,pi,p2)  ( q ,  t),  u )  V 
-■provision-of-healthcare-conditioned-on(m/,pi,p2,  ( q ,  t),u) 

164.508(b)(4) 

A  covered  entity  may  not  condition  the  provision  to  an  individual  of  treatment, 
payment,  enrollment  in  the  health  plan,  or  eligibility  for  benefits  on  the  provision  of  an 
authorization,  except: 
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(i)  A  covered  health  care  provider  may  condition  the  provision  of  research-  related 
treatment  on  provision  of  an  authorization  for  the  use  or  disclosure  of  protected 
health  information  for  such  research  under  this  section; 

(ii)  A  health  plan  may  condition  enrollment  in  the  health  plan  or  eligibility  for  benefits 
on  provision  of  an  authorization  requested  by  the  health  plan  prior  to  an  individual ’s 
enrollment  in  the  health  plan,  if: 

(A)  The  authorization  sought  is  for  the  health  plan’s  eligibility  or  enrollment  de¬ 
terminations  relating  to  the  individual  or  for  its  underwriting  or  risk  rating 
determinations;  and 

(B)  The  authorization  is  not  for  a  use  or  disclosure  of  psychotherapy  notes  under 
paragraph  (a)(2)  of  this  section;  and 

(in)  A  covered  entity  may  condition  the  provision  of  health  care  that  is  solely  for  the 
purpose  of  creating  protected  health  information  for  disclosure  to  a  third  party  on 
provision  of  an  authorization  for  the  disclosure  of  the  protected  health  information 
to  such  third  party. 

We  have  the  constraint: 

provision-of- healthcare-conditioned-on (m',pi,p2,  ( q,t),u )  => 
is-for-research(m',pi,p2,  ( q ,  t),u)V 
(is-for-healthplan-enrollment(m/, pi , p2,  ( q,t),u )  A 
-iis-psychotherapy-authorization(m/,pi,p2,  ( q,t),u ))  V 
is-for-creation-solely-for-disclosure(m/,pi,p2)  (q,  t),u ) 

164.508(b)(5) 

An  individual  may  revoke  an  authorization  provided  under  this  section  at  any  time, 
provided  that  the  revocation  is  in  writing,  except  to  the  extent  that: 

(i)  The  covered  entity  has  taken  action  in  reliance  thereon;  or 

(ii)  If  the  authorization  was  obtained  as  a  condition  of  obtaining  insurance  coverage, 
other  law  provides  the  insurer  with  the  right  to  contest  a  claim  under  the  policy  or 
the  policy  itself. 

We  have  the  macro: 

authorization-has-been-revoked(m/,pi,p2,  ( q,t),u )  = 

3m”.  <$>send(c/,pi,  m")  A 

is-revocation(m//,  m',pi,p2,  ( q ,  t),u) 

Note  that  HIPAA  does  not  define  what  counts  as  a  revocation  message,  and  so  we  rely  on  an  oracle 
for  the  is-revocation  predicate. 

Also,  note  that  the  first  exception  regarding  action  taken  “in  reliance  thereon”  is  handled  by 
the  fact  that  validity  of  an  authorization  (and  therefore  absence  of  a  revocation)  is  checked  at  the 
moment  of  disclosure.  Any  disclosure  made  under  an  authorization  that  is  later  revoked  will  be 
valid  at  the  time  of  disclosure,  since  the  authorization  is  not  yet  revoked. 

The  second  exception  is  handled  by  other  law,  and  so  is  not  directly  a  part  of  our  HIPAA 
formalization. 
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164.508(b)(6) 

A  covered  entity  must  document  and  retain  any  signed  authorization  under  this 

section  as  required  by  §164-530(j). 

The  model  used  in  our  formalization  currently  supports  only  disclosures;  we  have  no  mechanism 
to  track  the  physical  records  held  by  the  various  entities. 

164.508(c) 

164.508(c)(1) 

A  valid  authorization  under  this  section  must  contain  at  least  the  following  elements: 

(i)  A  description  of  the  information  to  be  used  or  disclosed  that  identifies  the  infor¬ 
mation  in  a  specific  and  meaningful  fashion. 

(ii)  The  name  or  other  specific  identification  of  the  person(s),  or  class  of  persons, 
authorized  to  make  the  requested  use  or  disclosure. 

(Hi)  The  name  or  other  specific  identification  of  the  person(s),  or  class  of  persons,  to 
whom  the  covered  entity  may  make  the  requested  use  or  disclosure. 

(iv)  A  description  of  each  purpose  of  the  requested  use  or  disclosure.  The  statement 
“at  the  request  of  the  individual”  is  a  sufficient  description  of  the  purpose  when 
an  individual  initiates  the  authorization  and  does  not,  or  elects  not  to,  provide  a 
statement  of  the  purpose. 

(v)  An  expiration  date  or  an  expiration  event  that  relates  to  the  individual  or  the  pur¬ 
pose  of  the  use  or  disclosure.  The  statement  “end  of  the  research  study,  ”  “none,  ” 
or  similar  language  is  sufficient  if  the  authorization  is  for  a  use  or  disclosure  of 
protected  health  information  for  research,  including  for  the  creation  and  mainte¬ 
nance  of  a  research  database  or  research  repository. 

(vi)  Signature  of  the  individual  and  date.  If  the  authorization  is  signed  by  a  personal 
representative  of  the  individual,  a  description  of  such  representative’s  authority  to 
act  for  the  individual  must  also  be  provided. 

is-valid-authorization-164.508cl(m/,pi,p2,  ( q,t),u )  = 

contains-description-allowed-information(?7?/,  ( q ,  t ))  A 
contains-description-allowed-senders(m/, p\)  A 
contains-description-allowed-recipients(m/,  pf)  A 
contains-description-allowed-purpose(m/,  u)  A 
contains-expiration-date-or-event  ( m ')  A 
(contains-signature(m/,  q)  V 

(3 pq.  belongstorole(p?,  personal- representative^))  A 
contains-signature('m/ ,  pq)  A 

contains-description-representation-authority  {m! ,  pq) ) ) 

Note  that  we  must  use  new  contains-...  predicates,  which  are  given  semantics  via  oracles  since 
HIPAA  does  not  specify  a  concrete  format  for  authorization  messages.  Our  built-in  contains  pred¬ 
icate  does  not  work  here  because  the  pieces  of  information  in  which  we  are  interested  are  not 
associated  with  particular  principals. 


61 


164.508(c)(2) 

In  addition  to  the  core  elements,  the  authorization  must  contain  statements  adequate 
to  place  the  individual  on  notice  of  all  of  the  following: 

(i)  The  individual’s  right  to  revoke  the  authorization  in  writing,  and  either: 

(A)  The  exceptions  to  the  right  to  revoke  and  a  description  of  how  the  individual 
may  revoke  the  authorization;  or 

(B)  To  the  extent  that  the  information  in  paragraph  (c)(2)(i)(A)  of  this  section  is 
included  in  the  notice  required  by  § 164-520 ,  a  reference  to  the  covered  entity’s 
notice. 

(ii)  The  ability  or  inability  to  condition  treatment,  payment,  enrollment  or  eligibility 
for  benefits  on  the  authorization,  by  stating  either: 

(A)  The  covered  entity  may  not  condition  treatment,  payment,  enrollment  or  el¬ 
igibility  for  benefits  on  whether  the  individual  signs  the  authorization  when 
the  prohibition  on  conditioning  of  authorizations  in  paragraph  (b)(4)  of  this 
section  applies;  or 

(B)  The  consequences  to  the  individual  of  a  refusal  to  sign  the  authorization  when, 
in  accordance  with  paragraph  (b)(4)  of  this  section,  the  covered  entity  can 
condition  treatment,  enrollment  in  the  health  plan,  or  eligibility  for  benefits  on 
failure  to  obtain  such  authorization. 

(in)  The  potential  for  information  disclosed  pursuant  to  the  authorization  to  be  subject 
to  redisclosure  by  the  recipient  and  no  longer  be  protected  by  this  subpart. 

is-valid-authorization-164.508c2(m/,pi,p2,  ( q,t),u )  = 
contains-description-right-to-revoke(rr)/)  A 
( (contains-description-exceptions-right-to-revoke(m/)  A 
contains-description-revocation-procedure(m/))  V 
cont  ains-r efer ence-t o- 1 64 . 5 20not ice  (rr;/))  A 
contains-description-conditioning-treatment-etc(m/)  A 
contains-description-redisclosure-potential(m/) 

164.508(c)(3) 

The  authorization  must  be  written  in  plain  language. 
is-valid-authorization-164.508c3(m/,pi,p2,  ( q,t),u )  = 

in-plain-language (rri' ,p\,p2,  ( q ,  t),u ) 

Again,  the  new  predicate  in-plain-language  relies  on  an  oracle  for  its  semantics. 

164.508(c)(4) 

If  a  covered  entity  seeks  an  authorization  from  an  individual  for  a  use  or  disclosure 
of  protected  health  information,  the  covered  entity  must  provide  the  individual  with  a 
copy  of  the  signed  authorization. 
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This  paragraph  does  not  quite  fit  with  our  model.  In  our  model,  an  individual  sends  the  covered 
entity  a  signed  authorization.  Since  the  authorization  comes  from  the  individual,  the  individual 
can  make  his  own  copy. 

4.5  §164.510  Uses  and  disclosures  requiring  an  opportunity  for 

the  individual  to  agree  or  object. 

A  covered  entity  may  use  or  disclose  protected  health  information,  provided  that  the 
individual  is  informed  in  advance  of  the  use  or  disclosure  and  has  the  opportunity  to 
agree  to  or  prohibit  or  restrict  the  use  or  disclosure,  in  accordance  with  the  applicable 
requirements  of  this  section.  The  covered  entity  may  orally  inform  the  individual  of  and 
obtain  the  individual’s  oral  agreement  or  objection  to  a  use  or  disclosure  permitted  by 
this  section. 

permitted_by_164_510(A) 
is_phi (A) , 

(permitted_by_164_510_a(A) ; 
permitted_by_164_510_b (A) ) . 

As  usual,  we  have  no  directly  corresponding  norms.  Instead,  the  norms  are  taken  from  para¬ 
graphs  (a)  and  (b). 

164.510(a) 

permitted_by_164_510_a(A) 
permitted_by_164_510_a_l (A) , 

(permitted_by_164_510_a_2(A) ; 
excluded_by_164_510_a_3(A) ) . 

Due  to  the  nested  exceptions,  we  follow  the  strategy  of  Lam  et  aids  Datalog  formalization  and 
introduce  a  macro  for  the  combination  of  the  individual  components: 

^164. 510a  =  ^164 . 510alii  ^  ((/?164 . 510a2  V  (^164 . 510a3i  ^  ^164.510a3ii)) 

164.510(a)(1) 

Except  when  an  objection  is  expressed  in  accordance  with  paragraphs  (a)(2)  or  (3) 
of  this  section,  a  covered  health  care  provider  may: 

164.510(a)(l)(i) 

Use  the  following  protected  health  information  to  maintain  a  directory  of  individuals 
in  its  facility: 

(A)  The  individual’s  name; 

(B)  The  individual’s  location  in  the  covered  health  care  provider’s  facility; 

(C)  The  individual’s  condition  described  in  general  terms  that  does  not  communicate 
specific  medical  information  about  the  individual;  and 
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(D)  The  individual’s  religious  affiliation;  and 

Lam  et  al.’s  formalization  has  no  corresponding  clauses.  Because  our  model  does  not  currently 
support  uses  of  protected  information,  we,  too,  do  not  have  any  corresponding  norms. 

164.510(a)(l)(ii) 

Disclose  for  directory  purposes  such  information: 

(A)  To  members  of  the  clergy;  or 

(B)  Except  for  religious  affiliation,  to  other  persons  who  ask  for  the  individual  by  name. 

permitted_by_164_510_a_l (A) 

(is_f or_directory_purp(A) , 
is_nam_loc_or_condition(A) , 

%need  to  implement  "asked  by  name" 
fail) ; 

(is_to_clergy (A) , 

(is_type_relig(A) ; 
is_nam_loc_or_condition(A) ) , 
writeln( ’ HIPAA  rule  164_510_a_l ’ ) ) . 

The  Datalog  formalization  of  Lam  et  al.  does  not  appear  to  include,  here  or  elsewhere,  the  possi¬ 
bility  for  objection  to  this  disclosure. 

We  have  the  positive  norm: 

9Ji64.5ioaiii  —  activerole(pi ,  covered- entity)  A 
(activerole(p2i  clergy)  V 
ffi(t  Gj-  religious- affiliation)  A 
3ml.  <3>send(y>2iPii  m1)  A 

is-directory-request-by-name(m',p2>Pi>  (<?,  t),u)))  A 
(t  Gj-  directory-information)  A 
(u  Gu  directory) 

Note  that  we  do  not  incorporate  the  “Except  when  an  objection  is  expressed”  phrase  here.  Instead, 
we  choose  to  locate  this  exception  in  y?jj64.5ioa2  in  order  to  link  it  to  the  corresponding  opportunity 
to  object. 

164.510(a)(2) 

A  covered  health  care  provider  must  inform  an  individual  of  the  protected  health  in¬ 
formation  that  it  may  include  in  a  directory  and  the  persons  to  whom  it  may  disclose 
such  information  ( including  disclosures  to  clergy  of  information  regarding  religious  af¬ 
filiation)  and  provide  the  individual  with  the  opportunity  to  restrict  or  prohibit  some  or 
all  of  the  uses  or  disclosures  permitted  by  paragraph  (a)(1)  of  this  section. 

permitted_by_164_510_a_2 (A) 

is_about_was_given_consent_opp (A) , 
writelnC’HIPAA  rule  164_510_a_2 ’ ) . 
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We  have  the  negative  norm  that  no  objection  has  been  received  since  the  opportunity  to  object 
was  provided: 

Vu S4.5i0a2  =  send(<7, pl ,  m")  A 

is-directory-objection-164.510a(m//,pi,p2i  ( q ,  t),u)) 

S 

(3m'.  send(pi,  q,  m!)  A 

is-opportunity-to-object-164.510a(m/,pi,p2;  (q,  t),u )) 

This  is  most  cleanly  expressed  using  the  “since”  temporal  operator,  S. 

164.510(a)(3) 

164.510(a)(3)(i) 

If  the  opportunity  to  object  to  uses  or  disclosures  required  by  paragraph  (a)(2)  of 
this  section  cannot  practicably  be  provided  because  of  the  individual’s  incapacity  or  an 
emergency  treatment  circumstance,  a  covered  health  care  provider  may  use  or  disclose 
some  or  all  of  the  protected  health  information  permitted  by  paragraph  (a)(1)  of  this 
section  for  the  facility’s  directory,  if  such  disclosure  is: 

(A)  Consistent  with  a  prior  expressed  preference  of  the  individual,  if  any,  that  is  known 
to  the  covered  health  care  provider;  and 

(B)  In  the  individual’s  best  interest  as  determined  by  the  covered  health  care  provider, 
in  the  exercise  of  professional  judgment. 

excluded_by_164_510_a_3 : - 
(is_about_incapac (A) ; 
is_about_emerg(A) ) , 
fail , 

%  not  sure  how  to  implement  is  consistent  with  past, 
is_belief _best_interest (A) , 
writeln(’HIPAA  rule  164_510_a3 ’ ) . 

We  have  the  positive  norm: 

<Pi64_5ioa3i  —  -,practicable-to-provide-opportunity-to-object-164.510a(pi , P2 ,  ( q,t),u )  A 
consistent- with-prior-preference(pi,p2,  (q,t),u)  A 
believes-in-best-int erest- 1 64 . 5 1 0a3iB (p \,p2,  (q,  t),  u ) 

where  practicable-to-provide-opportunity-to-object-164.510a  is  defined  as  the  macro: 

practicable-to-provide-opportunity-to-object-164.510a(pi,p2j  ( q ,  t),  u)  = 

-ibelongstorole(g,  incapacitated)  A 
-ibelongstorole(g,  emergency-treatment ) 

Because  this  positive  norm  is  joined  by  disjunction  with  pf 64.5ioa2  (/9i64.5ioa)  this  has  the  effect  of 
allowing  the  opportunity  to  object  to  be  skipped  if  it  is  not  practicable  to  provide  that  opportunity. 
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164.510(a)(3)(ii) 

The  covered  health  care  provider  must  inform  the  individual  and  provide  an  oppor¬ 
tunity  to  object  to  uses  or  disclosures  for  directory  purposes  as  required  by  paragraph 
(a)(2)  of  this  section  when  it  becomes  practicable  to  do  so. 

There  is  no  corresponding  Datalog  clause  in  Lam  et  aids  formalization,  likely  because  Datalog 
has  no  means  of  speaking  about  future  events  and  their  obligations. 

We  use  the  following  negative  exception: 

^I64.5i0a3ii  —  (_,practicable-to-provide-opportunity-to-object-164.510a(pi , p2,  ( q,t),u )) 

>'V 

(3m'.  send  (pi ,  q,m')  A 

is-opportunity-to-object-164.510a(?n/,pi,p2)  ( q ,  t),u)) 

In  other  words,  an  opportunity  to  object  can  be  sent  in  the  current  state  or  a  future  state,  provided 
that  in  no  intervening  state  is  it  practicable  to  provide  an  opportunity  to  object. 

This  norm  has  the  drawback  of  repeating  text  from  <p^64.5ioa2>  but  it  does  not  seem  possible  to 
avoid  doing  so. 

164.510(b) 

164.510(b)(1) 

164.510(b)(l)(i) 

A  covered  entity  may,  in  accordance  with  paragraphs  (b)(2)  or  (3)  of  this  section, 
disclose  to  a  family  member,  other  relative,  or  a  close  personal  friend  of  the  individual, 
or  any  other  person  identified  by  the  individual,  the  protected  health  information  directly 
relevant  to  such  person’s  involvement  with  the  individual’s  care  or  payment  related  to 
the  individual’s  health  care. 

permitted_by_164_510_b_l_i (A) 
is_phi (A) , 

is_from_coveredEntity (A)  , 

(is_to_relative(A) ; 
is_to_closeFriend(A) ; 
is_to_personIdentif ied(A) ) , 
is_relevant_to_payment_or_care_involvement (A) , 
writelnC’HIPAA  rule  164_510_b_l_i ’ ) . 

We  have  the  positive  norm: 

^i64.5iobii  —  activerole(pi,  covered- entity)  A 

(activerole(p2i  family-member (q))  V 
activerole(p2,  relatively))  V 
activerole(p2,  close-personal- friend{q))  V 
activerole(p2,  identified- 164-51  Ob (q)))  A 
(t  Gt  phi)  A 

relevant-to- involvement  (t,  p-2 ,  q) 
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Because  HIPAA  does  not  describe  the  process  under  which  an  individual  may  identify  a  person  to 
which  protected  health  information  may  be  sent,  we  abstractly  represent  this  relationship  using  a 
role  identified- 164- 5 10b  (q).  The  process  of  naming  this  person  would  constrain  the  principals  that 
may  hold  this  role. 

164.510(b)(l)(ii) 

A  covered  entity  may  use  or  disclose  protected  health  information  to  notify,  or  assist 
in  the  notification  of  (including  identifying  or  locating),  a  family  member,  a  personal 
representative  of  the  individual,  or  another  person  responsible  for  the  care  of  the  individ¬ 
ual  of  the  individual’s  location,  general  condition,  or  death.  Any  such  use  or  disclosure 
of  protected  health  information  for  such  notification  purposes  must  be  in  accordance  with 
paragraphs  (b)(2),  (3),  or  (4)  of  this  section,  as  applicable. 

permitted_by_164_510_b_l_ii (A) : - 
is_phi (A) , 

is_from_coveredEntity (A)  , 

(is_f or_notif ication_f am_personalrep_respons_of _location(A) ; 
is_f or_notif ication_f am_personalrep_respons_of _gencond(A) ; 
is_f or_notif ication_f am_personalrep_respons_of _death(A) ) , 
writeln( ’HIPAA  rule  164_510_b_l_ii ; ’ ) . 

We  have  the  positive  norm: 

99i64.5iobiii  —  activerole(pi ,  covered- entity)  A 

(((activerole(p»2 ,  family-member (q))  V 

activerole(p»2,  personal- representative(q))  V 
activerole(p>2,  responsible-for-care-of  (q)))  A 
(t  £7-  location- condition- death)  A 
( u  £u  notification- 164- 5 10b))  V 
((t  £r  phi)  A 

(u  &u  assist-notification- 164- 5 10b))) 


164.510(b)(2) 

If  the  individual  is  present  for,  or  otherwise  available  prior  to,  a  use  or  disclosure 
permitted  by  paragraph  (b)(1)  of  this  section  and  has  the  capacity  to  make  health  care 
decisions,  the  covered  entity  may  use  or  disclose  the  protected  health  information  if  it: 

(i)  Obtains  the  individual’s  agreement; 

(ii)  Provides  the  individual  with  the  opportunity  to  object  to  the  disclosure,  and  the 
individual  does  not  express  an  objection;  or 

(in)  Reasonably  infers  from  the  circumstances,  based  the  exercise  of  professional  judg¬ 
ment,  that  the  individual  does  not  object  to  the  disclosure. 

'/.not  sure  how  to  implement  these  yet : 

°/0is_about_present ,  is_about_avail_f  or_consent ,  is_about_in_capac_to_make_dec 
"/.currently  they  fail 
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permitted_by_164_510_b_2 (A) 

( (not (is_about_present (A) ) ; 

not (is_about_avail_f or_consent (A) ) ) , 
not (is_about_in_capac_to_make_dec (A) ) ) ; 

( (is_about_present (A) ; 

is_about_avail_f or_consent (A) ) , 

(is_about_in_capac_to_make_dec(A) ) , 

(is_consentedby_about (A) ; 
is_about_was_given_consent_opp (A) ; 

is_belief _can_be_inf erred_indiv_wouldnt_object (A) ) ) , 
writeln(’HIPAA  rule  164_510_b_2 > ) . 

Lam  et  al.  seem  to  be  using  negation  as  a  means  of  simulating  classical  implication. 

We  have  the  negative  norm: 

¥h64.5iob2  -  <$> (available(pi ,  q)  A 

has-capacity-to-make-healthcare-decisions(g))  D 
has-obtained-agreement-164.510b2(pi,p2,  (q,  t),u )  V 
has-provided-opportunity-no-objection-164.510b2(pi,p2;  (<?,  i),  u)  V 
professional-judgment-individual-does-not-object(pi,p2,  ( q ,  t ),  u ) 

Although  HIPAA  does  not  explicitly  define  what  it  means  to  obtain  the  individual’s  agreement 
or  provide  an  opportunity  to  object,  it  seems  reasonable  to  implement  these  as  the  following  macros: 

has-obtained-agreement-164.510b2(pi,p2,  ( q,t),u )  = 

3m'.  <$>send(g,pi,  m')  A 

is-agreement-164.510b2(m/,pi,p2,  {q,  t),u ) 


has-provided-opportunity-no-objection-164.510b2(pi,p2i  ( q ,  t),u)  = 

(-1 3m".  send(q,pi,m")  A 

is-objection-164.510b2(m//,pi,p2j  {q,t),u))  S 
(3m' .  send(pi,  q,  m')  A 

is-opportunity-to-object-164.510b2(m/,pi,y>2i  ( q ,  t),  u )) 

The  predicate  professional-judgment-individual-does-not-object  is  given  semantics  via  an  oracle. 

164.510(b)(3) 

If  the  individual  is  not  present,  or  the  opportunity  to  agree  or  object  to  the  use  or 
disclosure  cannot  practicably  be  provided  because  of  the  individual’s  incapacity  or  an 
emergency  circumstance,  the  covered  entity  may,  in  the  exercise  of  professional  judg¬ 
ment,  determine  whether  the  disclosure  is  in  the  best  interests  of  the  individual  and,  if 
so,  disclose  only  the  protected  health  information  that  is  directly  relevant  to  the  person’s 
involvement  with  the  individual’s  health  care.  A  covered  entity  may  use  professional 
judgment  and  its  experience  with  common  practice  to  make  reasonable  inferences  of  the 
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individual’s  best  interest  in  allowing  a  person  to  act  on  behalf  of  the  individual  to  pick  up 
filled  prescriptions,  medical  supplies,  X-rays,  or  other  similar  forms  of  protected  health 
information. 

permitted_by_164_510_b_3 (A) 

(is_about_present (A) , 

(not (is_about_incapac (A) ) , 
not (is_about_emerg(A) ) ) ) ; 

(is_belief _best_interest (A) , 

(is_relevant_to_payment_or_health_involvement (A) ; 
is_msg_type (A,pres_medsupp_xray_etc) ) ) , 
writelnC’HIPAA  rule  164_510_b_3 ’ ) . 

Again,  it  seems  that  Lam  et  al.  use  negation  to  simulate  classical  implication. 

We  have  the  following  negative  norm: 

¥h64.5iob3  -  -■  O (available (pi,q)  A 

has-capacity-to- make-healthcare-decisions  (q) )  D 

professional-judgment-is-in-best-interest-of-164.510b3(pi,p2,  {q,  t) ,  u)  A 

relevant-to-involvement  (t,  p2,  q ) 

The  new  predicates  introduced  here  all  rely  on  oracles  for  their  semantics. 

164.510(b)(4) 

A  covered  entity  may  use  or  disclose  protected  health  information  to  a  public  or 
private  entity  authorized  by  law  or  by  its  charter  to  assist  in  disaster  relief  efforts, 
for  the  purpose  of  coordinating  with  such  entities  the  uses  or  disclosures  permitted  by 
paragraph  (b)(1)(H)  of  this  section.  The  requirements  in  paragraphs  (b)(2)  and  (3)  of 
this  section  apply  to  such  uses  and  disclosure  to  the  extent  that  the  covered  entity,  in 
the  exercise  of  professional  judgment,  determines  that  the  requirements  do  not  interfere 
with  the  ability  to  respond  to  the  emergency  circumstances. 

permitted_by_164_510_b_4(A) 

permitted_by_164_510_b_l_ii (A) , 

(is_to_privateEntity (A) ; 
is_to_publicEntity (A) ) , 

(is_to_authorizedByLaw_to_assist_disasterRelief (A) ; 
is_to_authorizedByCharter_to_assist_disasterRelief (A) ) , 

( (permitted_by_164_510_b_2(A) , 
permitted_by_164_510_b_3(A) ) ; 

is_belief _not_disclosing_would_interf ere_with_emergResponse (A) ) , 
writeln( ’HIPAA  rule  164_510_b_4’ ) . 

We  have  the  positive  norm: 

99i64.5iob4  —  activerole(pi,  covered- entity)  A 

activerole(y>2i  authorized-by-law-or-charter-to-assist-in-disaster-relief )  A 
(t  £7-  phi)  A 

(u  &u  coordinate-disclosure-under- 1 6f. 5 1  Ob lii) 
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The  final  positive  norm  would  be  restricted  according  to  the  negative  norms  from  paragraphs  (b)(2) 
and  (3): 

+  A 

^164.510b4'  — 

Vh64.51.0b4  ^ 

(-■prof-judgment-reqs-do-not-interfere-with-emerg-response(pi,p2,  {q,  t),u)\/ 

(Vh64  . 510b2  ^ 

99164.510b3)) 

4.6  §164.512  Uses  and  disclosures  for  which  an  authorization  or 

opportunity  to  agree  or  object  is  not  required. 

A  covered  entity  may  use  or  disclose  protected  health  information  without  the  written 
authorization  of  the  individual,  as  described  in  §164-508,  or  the  opportunity  for  the 
individual  to  agree  or  object  as  described  in  § 164-510 ,  in  the  situations  covered  by  this 
section,  subject  to  the  applicable  requirements  of  this  section.  When  the  covered  entity 
is  required  by  this  section  to  inform  the  individual  of,  or  when  the  individual  may  agree 
to,  a  use  or  disclosure  permitted  by  this  section,  the  covered  entity's  information  and 
the  individual’s  agreement  may  be  given  orally. 

The  Datalog  formalization  of  Lam  et  al.  does  not  cover  §164.512: 

permitted_by_164_512(A) 

debug ( ’ 164 . 512 :  not  implemented:  uses  and  disclosure  where  authorization 
not  required;'). 

Since  §164.502(a)(l)(vi)  explicitly  permits  disclosures  under  this  section,  there  is  no  need  to 
add  any  norms  at  this  point;  they  will  come  from  the  following  paragraphs. 

164.512(a) 

164.512(a)(1) 

A  covered  entity  may  use  or  disclose  protected  health  information  to  the  extent  that 
such  use  or  disclosure  is  required  by  law  and  the  use  or  disclosure  complies  with  and  is 
limited  to  the  relevant  requirements  of  such  law. 

V:,i64.5i2ai  —  activerole(pi,  covered- entity)  A 
(t  £7-  phi)  A 

is-required- by-law  (pi ,  P2,  (q,  t),u) 

The  phrase  “is  limited  to  the  relevant  requirements  of  such  law”  is  captured  by  the  fact  that  we 
examine  one  piece  of  information  at  a  time.  Since  we  choose  not  to  formalize  all  relevant  laws,  we 
rely  on  an  oracle  to  provide  semantics  for  the  is-required-by-law  predicate. 
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164.512(a)(2) 

A  covered  entity  must  meet  the  requirements  described  in  paragraph  (c),  (e),  or  (f) 
of  this  section  for  uses  or  disclosures  required  by  law. 

To  ensure  that  the  requirements  from  paragraphs  (c),  (e),  and  (f)  are  satisfied,  we  join  the 
negative  norms  from  those  paragraphs  with  512ai  to  form  a  new  positive  norm: 

+  A  +  a 

V 164.512a2  —  ^164.512al  A 

Aiei64.512c  Vi  A 

Aiei64.512e  Vi  ^ 

Ai£164.512f  Vi 

164.512(b) 

164.512(b)(1) 

A  covered  entity  may  disclose  protected  health  information  for  the  public  health  ac¬ 
tivities  and  purposes  described  in  this  paragraph  to: 

164.512(b)(l)(i) 

A  public  health  authority  that  is  authorized  by  law  to  collect  or  receive  such  informa¬ 
tion  for  the  purpose  of  preventing  or  controlling  disease,  injury,  or  disability,  including, 
but  not  limited  to,  the  reporting  of  disease,  injury,  vital  events  such  as  birth  or  death, 
and  the  conduct  of  public  health  surveillance,  public  health  investigations,  and  public 
health  interventions;  or,  at  the  direction  of  a  public  health  authority,  to  an  official  of  a 
foreign  government  agency  that  is  acting  in  collaboration  with  a  public  health  authority; 

VJi64.5i2bii  —  activerole(pi,  covered- entity)  A 

(3/4  activerole(z4  public-health- authority)  A 

activerole(z4  authorized-by-law-for-purpose(u)) 

((P2  =  p'2)  V 

(activerole(/»2,  foreign-government-agency)  A 

directed-disclosure(//2,pi,/>2,  (<?, 4  m0)))  A 

(t  £j-  phi)  A 

(( u  diseas  e-prevention- or- control)  V 

( u  public-health-surveillance)  V 

( u  &u  public-health-investigation)  V 
( u  public-health-intervention)) 

164.512(b)(l)(ii) 

A  public  health  authority  or  other  appropriate  government  authority  authorized  by 
law  to  receive  reports  of  child  abuse  or  neglect; 

^i64.5i2biii  ~  activerole(/»i ,  covered- entity)  A 

(activerole(/>2,  public-health- authority)  V 
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activerole(p2i  government- authority))  A 
belongstorole(/>2 ,  authorized-by-law-for-purpose(u))  A 
(t  £7-  phi)  A 

(u  £u  reports-of-child-abuse) 

164.512(b)  (l)(iii) 

A  person  subject  to  the  jurisdiction  of  the  Food  and  Drug  Administration  (FDA)  with 
respect  to  an  FDA-regulated  product  or  activity  for  which  that  person  has  responsibility, 
for  the  purpose  of  activities  related  to  the  quality,  safety  or  effectiveness  of  such  FDA- 
regulated  product  or  activity.  Such  purposes  include: 

(A)  To  collect  or  report  adverse  events  (or  similar  activities  with  respect  to  food  or 
dietary  supplements) ,  product  defects  or  problems  (including  problems  with  the  use 
or  labeling  of  a  product),  or  biological  product  deviations; 

(B)  To  track  FDA-regulated  products; 

(C)  To  enable  product  recalls,  repairs,  or  replacement,  or  lookback  (including  locat¬ 
ing  and  notifying  individuals  who  have  received  products  that  have  been  recalled, 
withdrawn,  or  are  the  subject  of  lookback);  or 

(D)  To  conduct  post  marketing  surveillance; 

^i64.5i2biiii  —  activerole(pi ,  covered- entity)  A 
3p:prod.  is-FDA-regulated(p)  A 

activerole(/>2,  responsible- for-product(p))  A 
(t  £7-  phi)  A 

(u  &u  quality -safety -effectiveness- activities  (p)) 

Note  that  we  use  existential  quantification  over  a  new  sort,  prod,  to  link  the  recipient  to  the  same 
product  mentioned  in  the  purpose. 

164.512(b)  (l)(iv) 

A  person  who  may  have  been  exposed  to  a  communicable  disease  or  may  otherwise  be 
at  risk  of  contracting  or  spreading  a  disease  or  condition,  if  the  covered  entity  or  public 
health  authority  is  authorized  by  law  to  notify  such  person  as  necessary  in  the  conduct 
of  a  public  health  intervention  or  investigation;  or 

Somewhat  surprisingly,  the  protected  health  information  that  may  be  disclosed  is  left  wholly 
unconstrained  in  this  paragraph.  We  believe  that  the  purpose  of  public  health  information  and 
principle  of  minimum  necessary  disclosure  will  appropriately  limit  the  protected  health  information 
that  may  be  disclosed. 

9Ji64.5i2biiv  —  activerole(pi ,  covered- entity)  A 

belongstorole(p2 ,  risk-of-contracting-or-spreading-disease)  A 
(' t  £7-  phi)  A 

( u  notify-for-public-health-intervention) 
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164.512(b) (l)(v) 

An  employer,  about  an  individual  who  is  a  member  of  the  workforce  of  the  employer, 

if: 

(A)  The  covered  entity  is  a  covered  health  care  provider  who  is  a  member  of  the  work¬ 
force  of  such  employer  or  who  provides  health  care  to  the  individual  at  the  request 
of  the  employer: 

(1)  To  conduct  an  evaluation  relating  to  medical  surveillance  of  the  workplace;  or 

(2)  To  evaluate  whether  the  individual  has  a  work-related  illness  or  injury; 

(B)  The  protected  health  information  that  is  disclosed  consists  of  findings  concerning  a 
work-related  illness  or  injury  or  a  workplace-related  medical  surveillance; 

(C)  The  employer  needs  such  findings  in  order  to  comply  with  its  obligations,  under 
29  CFR  parts  190 4  through  1928,  30  CFR  parts  50  through  90,  or  under  state  law 
having  a  similar  purpose,  to  record  such  illness  or  injury  or  to  carry  out  responsi¬ 
bilities  for  workplace  medical  surveillance;  and 

(D)  The  covered  health  care  provider  provides  written  notice  to  the  individual  that  pro¬ 
tected  health  information  relating  to  the  medical  surveillance  of  the  workplace  and 
work-related  illnesses  and  injuries  is  disclosed  to  the  employer: 

(1)  By  giving  a  copy  of  the  notice  to  the  individual  at  the  time  the  health  care  is 
provided;  or 

(2)  If  the  health  care  is  provided  on  the  work  site  of  the  employer,  by  posting  the 
notice  in  a  prominent  place  at  the  location  where  the  health  care  is  provided. 

We  have  the  positive  norm: 

^i64.5i2biv  —  (activerole(pi,  provider)  A 

(belongstorole(pi,  workforce-member{p2))  V 
belongstorole(pi,  provides-medical-surveillance{p2))  V 
belongstorole(pi,  provides-in jury- evaluation^)))  A 
activerole(p2,  employer )  A 
belongstorole(g,  workforce-member (3P2))  A 
(((t  Gr  workplace-injury-findings )  A 
(u  £u  obligation-to-record-workplace-injury ))  V 
((i  G7-  medical- surveillance- findings)  A 
(u  obligation-to-perform-medical-surveillance)))  A 
3m,' .  <$>send(pi,  q,  m!)  A 

is-notice-of- workplace-disclosure  (m') 

Note  that  we  have  tied  the  attribute  class  workplace-injury-findings  to  the  corresponding  purpose 
obligation-to-record-workplace-injury.  Similarly,  the  information  type  medical-surveillance-findings 
and  purpose  obligation-to-perform-medical-surveillance  are  tied  together.  Although  this  is  not  made 
explicit  in  the  text,  we  believe  that  it  is  reasonable  to  assume  that  this  was  the  intended  meaning. 

Due  to  our  abstract  send-based  model,  we  cannot  capture  the  distinction  between  giving  a  copy 
of  the  notice  and  posting  the  notice  in  a  prominent  public  place.  Therefore,  we  do  not  include 
paragraph  (D)(2). 
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164.512(b)(2) 

If  the  covered  entity  also  is  a  public  health  authority,  the  covered  entity  is  permitted 
to  use  protected  health  information  in  all  cases  in  which  it  is  permitted  to  disclose  such 
information  for  public  health  activities  under  paragraph  (b)(1)  of  this  section. 

Because  our  model  cannot  express  usage-based  norms,  we  cannot  handle  this  paragraph.  How¬ 
ever,  given  a  model  that  supports  usage-based  norms,  we  expect  that  it  would  be  straightforward 
to  copy  the  norms  from  paragraph  (b)(1)  and  make  only  slight  modifications. 

164.512(c) 

We  combine  the  following  norms  from  this  paragraph  to  form  a  new  positive  norm: 

+  A  +  A 

T  164.512c  —  T 164 . 512cl  A 

(<7,164.512c2  V  ^164.512c2i  V  512c2ii  ) 

Note  that  this  construction  contains  a  local  negative  norm  with  its  own  exceptions. 

164.512(c)(1) 

Except  for  reports  of  child  abuse  or  neglect  permitted  by  paragraph  (b)(1)(H)  of  this 
section,  a  covered  entity  may  disclose  protected  health  information  about  an  individual 
whom  the  covered  entity  reasonably  believes  to  be  a  victim  of  abuse,  neglect,  or  domestic 
violence  to  a  government  authority,  including  a  social  service  or  protective  services 
agency,  authorized  by  law  to  receive  reports  of  such  abuse,  neglect,  or  domestic  violence: 

(i)  To  the  extent  the  disclosure  is  required  by  law  and  the  disclosure  complies  with  and 
is  limited  to  the  relevant  requirements  of  such  law; 

(ii)  If  the  individual  agrees  to  the  disclosure;  or 

(in)  To  the  extent  the  disclosure  is  expressly  authorized  by  statute  or  regulation  and: 

(A)  The  covered  entity,  in  the  exercise  of  professional  judgment,  believes  the  dis¬ 
closure  is  necessary  to  prevent  serious  harm  to  the  individual  or  other  potential 
victims;  or 

(B)  If  the  individual  is  unable  to  agree  because  of  incapacity,  a  law  enforcement  or 
other  public  official  authorized  to  receive  the  report  represents  that  the  protected 
health  information  for  which  disclosure  is  sought  is  not  intended  to  be  used 
against  the  individual  and  that  an  immediate  enforcement  activity  that  depends 
upon  the  disclosure  would  be  materially  and  adversely  affected  by  waiting  until 
the  individual  is  able  to  agree  to  the  disclosure. 

9Ji64.5i2ci  =  activerole(pi,  covered- entity)  A 

belongstorole(p2j  government- authority )  A 
activerole(p2i  authorized-by-law- for-purpose{u ))  A 
believes-victim-of-abuse(pi,  q)  A 
(t  £j-  phi)  A 

(u  £u  reports- of- abuse)  A 

(is-required- by-law (pi,p2 ,  (<h  t),u)  V 
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individual- has- agreed  (pi,p2,  (q,  t),u)V 
( authorized-by-statute- regulation (pi,p2,  (q,t),u)  A 

(believes-disclosure-necessary-to-prevent-harm(pi,p2)  (<?,  t),  u)  V 

(belongstorole(g,  incapacitated)  A 
3^3.  belongstorole(p3,  public- official)  A 

activerole(p3,  authorized-for-purpose(u))  A 

assurance-disclosure- not-used-against-individual(p3,pi,p2i  (<?,  t),u)  A 
believes- waiting- for- agreement-would- hinder-enforcement (p3,pi,p2 ,  (<?,  t),u))))) 

Because  there  is  no  implementation  specification  for  an  individual’s  agreement,  we  factor  this 
out  as  a  new  predicate,  individual-has-agreed.  Also,  because  the  negative  norm  </?i64.512c2  applies 
locally  to  ^i64.5i2ci  (and  not  to  <£i64.5i2biii)>  no  additional  work  is  necessary  to  capture  the  phrase 
“except  for  reports  of  child  abuse  or  neglect  permitted  by  paragraph  (b)(1)(h)  of  this  section.” 

164.512(c)(2) 

A  covered  entity  that  makes  a  disclosure  permitted  by  paragraph  (c)(1)  of  this  section 
must  promptly  inform  the  individual  that  such  a  report  has  been  or  will  be  made,  except 

if: 

We  have  the  following  negative  norm.  Although  no  definition  of  “promptly”  is  provided  by  the 
law,  if  we  are  given  a  promptness  constant,  cprompt ,  we  write: 

<Pu S4.512C2  -  \rx3m!.  (<$>send(pi,  q,  m!)  V 

(y  —  %  ~ k  Cprom.pt )  A 

send(pi,  q,  m')))  A 

is-notice-of-report(m',pi,p2i  ( q ,  t),  u) 


164.512(c)(2)(i) 

The  covered  entity,  in  the  exercise  of  professional  judgment,  believes  informing  the 
individual  would  place  the  individual  at  risk  of  serious  harm;  or 

We  have  the  positive  norm: 

W~64.5i2c2i  —  believes- notice- would- risk-individual (pi,p2;  ( q,t),u ) 

Again,  we  rely  on  an  oracle  for  the  semantics  of  believes-notice-would-risk-individual. 

164.512(c)(2)(ii) 

The  covered  entity  would  be  informing  a  personal  representative,  and  the  covered 
entity  reasonably  believes  the  personal  representative  is  responsible  for  the  abuse,  neglect, 
or  other  injury,  and  that  informing  such  person  would  not  be  in  the  best  interests  of  the 
individual  as  determined  by  the  covered  entity,  in  the  exercise  of  professional  judgment. 

It  is  not  clear  to  us  how  to  represent  the  necessity  modality  present  in  the  phrase  “[If]  the 
covered  entity  woidd  be  informing  a  personal  representative”.  We  could  consider  adding  a  new 
modality  to  the  logic,  but  it  seems  likely  to  impose  more  technical  complications  than  the  benefit 
we  would  gain.  However,  even  if  we  considered  adding  a  new  modality,  we  would  be  breaking  the 
abstraction  of  whether  a  message  goes  to  an  individual  or  the  personal  representative. 
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164.512(d) 

164.512(d)(1) 

A  covered  entity  may  disclose  protected  health  information  to  a  health  oversight 
agency  for  oversight  activities  authorized  by  law,  including  audits;  civil,  administrative, 
or  criminal  investigations;  inspections;  licensure  or  disciplinary  actions;  civil,  adminis¬ 
trative,  or  criminal  proceedings  or  actions;  or  other  activities  necessary  for  appropriate 
oversight  of: 

(i)  The  health  care  system; 

(ii)  Government  benefit  programs  for  which  health  information  is  relevant  to  beneficiary 
eligibility; 

( Hi )  Entities  subject  to  government  regulatory  programs  for  which  health  information  is 
necessary  for  determining  compliance  with  program  standards;  or 
(iv)  Entities  subject  to  civil  rights  laws  for  which  health  information  is  necessary  for 
determining  compliance. 

We  have  the  positive  norm: 

^164.512(31  =  activerole(pi,  covered- entity)  A 

belongstorole(p2,  health- oversight- agency )  A 
activerole(p2i  authorized-by-law (u))  A 
(t  £7-  phi)  A 

3^3-  (u  £u  oversight (p3))  A 

(activerole(p3,  health-care-system)  V 

activerole(p3,  government-benefit-programs-health-eligibility)  V 
activerole(p3,  government-regulated-entity-health-compliance)  V 
activerole(p3,  subject-to-civil-rights-health-compliance)) 

Note  the  use  of  the  authorized-by-law(u)  role,  which  is  parameterized  by  the  purpose  u  and  captures 
the  principals  that  are  authorized  by  law  for  purpose  u. 

Also,  paragraph  (i)  is  unclear  to  us:  The  term  “health  care  system”  seems  too  generic  of  a  term 
to  be  useful  in  practice.  Nevertheless,  we  choose  to  formalize  it  using  a  role  health- care- system. 

164.512(d)(2) 

For  the  purpose  of  the  disclosures  permitted  by  paragraph  (d)(1)  of  this  section,  a 
health  oversight  activity  does  not  include  an  investigation  or  other  activity  in  which  the 
individual  is  the  subject  of  the  investigation  or  activity  and  such  investigation  or  other 
activity  does  not  arise  out  of  and  is  not  directly  related  to: 

(i)  The  receipt  of  health  care; 

(ii)  A  claim  for  public  benefits  related  to  health;  or 

(Hi)  Qualification  for,  or  receipt  of,  public  benefits  or  services  when  a  patient’s  health 
is  integral  to  the  claim  for  public  benefits  or  services. 

We  would  like  to  express  this  paragraph  as: 
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( u  oversight  (q))  D 

related-to-receipt-health-care(u)  V 
related-to-public- health-benefits  (it)  V 

related-to-public-beriefits-qualification-depends-on-health(u) 

However,  this  cannot  be  expressed  as  an  isolated  constraint  because  q  must  refer  to  the  individual. 
We  resolve  this  problem  by  merging  this  paragraph  into  the  norm  from  (d)(1): 

^164  5i2di/  ~  activerole(pi,  covered- entity)  A 

belongstorole(p2,  health- oversight- agency)  A 
activerole(p2,  authorized-by-law (u))  A 
(t  €j-  phi)  A 

3p3-  (u  £u  oversight (p3))  A 

(activerole(|?3,  health- care- system)  V 

activerole(p3,  govemment-benefit-programs-health- eligibility)  V 
activerole(p3,  government-regulated-entity-health-compliance)  V 
activerole(p3,  subject-to-civil-rights-health- compliance))  A 
((P3  =q)^> 

related-to-receipt-health-care(u)  V 
related-to-public- health-benefits(w)  V 

related-to-public-benefits-qualihcation-depends-on-health(u)) 

Admittedly,  this  weakens  the  correspondence  with  the  text’s  structure,  but  that  seems  unavoidable. 

164.512  (d)(3) 

Notwithstanding  paragraph  (d)(2)  of  this  section,  if  a  health  oversight  activity  or 
investigation  is  conducted  in  conjunction  with  an  oversight  activity  or  investigation  re¬ 
lating  to  a  claim  for  public  benefits  not  related  to  health,  the  joint  activity  or  investigation 
is  considered  a  health  oversight  activity  for  purposes  of  paragraph  (d)  of  this  section. 

Again,  it  seems  necessary  to  merge  this  paragraph  into  the  norm  for  paragraph  (d)(1): 

^164  5i2d"  ~  activerole(pi,  covered- entity)  A 

belongstorole(p2>  health- oversight- agency)  A 
activerole(p2,  authorized-by-law(u))  A 
(: t  £j-  phi)  A 

3p3-  (u  &u  oversight (p3))  A 

(activerole(p3,  health- care- system)  V 

activerole(p3,  government-benefit-programs-health- eligibility)  V 
activerole(/>3,  government-regulated-entity-health-compliance)  V 
activerole(/>3,  subject-to-civil-rights-health-compliance))  A 
(Cp3  =  q)t> 

3u' .  (related-to-receipt-health-care(u')  V 
related-to-public- health-benefits^')  V 

related-to-public-benefits-qualification-depends-on- health  (';/))  A 
((u'  =  u)  V 

joint-oversight (u,  u'))) 
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164.512(d)(4) 

If  a  covered  entity  also  is  a  health  oversight  agency,  the  covered  entity  may  use 
protected  health  information  for  health  oversight  activities  as  permitted  by  paragraph  (d) 
of  this  section. 

Again,  because  our  model  does  not  support  usage-based  norms,  we  cannot  handle  this  para¬ 
graph.  However,  we  expect  that,  in  such  a  model,  it  would  be  straightforward  to  modify  the  norms 
from  paragraph  (d)  to  apply  to  uses. 

164.512(e) 

164.512(e)(1) 

A  covered  entity  may  disclose  protected  health  information  in  the  course  of  any 
judicial  or  administrative  proceeding: 

164.512(e)(l)(i) 

In  response  to  an  order  of  a  court  or  administrative  tribunal,  provided  that  the 
covered  entity  discloses  only  the  protected  health  information  expressly  authorized  by 
such  order;  or 

^i64.5i2eii  —  activerole(pi ,  covered- entity)  A 
(' t  phi )  A 

(■ u  judicial- administrative-proceeding)  A 

3p3,m'.  (activerole(p3,  court)  V 

activerole(p3,  administrative-tribunal))  A 
send (p3 ,pi,m')  A 
is-order(m/,pi,p2,  (<?,£)) 

We  rely  on  an  oracle  for  the  semantics  of  in-order. 

164.512(e)  (l)(ii) 

In  response  to  a  subpoena,  discovery  request,  or  other  lawful  process,  that  is  not 
accompanied  by  an  order  of  a  court  or  administrative  tribunal,  if: 

(A)  The  covered  entity  receives  satisfactory  assurance,  as  described  in  para,  (e)(1)  (in) 
of  this  section,  from  the  party  seeking  the  information  that  reasonable  efforts  have 
been  made  by  such  party  to  ensure  that  the  individual  who  is  the  subject  of  the 
protected  health  information  that  has  been  requested  has  been  given  notice  of  the 
request;  or 

(B)  The  covered  entity  receives  satisfactory  assurance,  as  described  in  para,  (e)(1)  (iv) 
of  this  section,  from  the  party  seeking  the  information  that  reasonable  efforts  have 
been  made  by  such  party  to  secure  a  qualified  protective  order  that  meets  the  re¬ 
quirements  of  paragraph  (e)(1)  (v)  of  this  section. 

We  have  the  positive  norm: 
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¥,i64.5i2eiii  —  activerole(pi ,  covered- entity)  A 
(' t  G7-  phi)  A 

(u  judicial-administrative-proceeding)  A 
3m'.  <$>send(p2,Pi,  m')  A 

is-lawful-process(m/,pi,p2>  (<?,  £))  A 
(received-satisfactory-assurances-164.512eliii(pi,p2,  (?,  i),  u)  V 

received-sat  isfactory-assur  arices- 1 64 . 5 1 2e  1  iv (p  1 , j>2 ,  (q,  t),u)) 

We  rely  on  an  oracle  for  the  semantics  of  is-lawful-process.  The  macros  for  receiving  satisfactory 
assurances  are  defined  in  the  following  paragraphs. 

164.512(e)  (l)(iii) 

For  the  purposes  of  paragraph  (e)(1)(H)  (A)  of  this  section,  a  covered  entity  receives 
satisfactory  assurances  from  a  party  seeking  protecting  health  information  if  the  covered 
entity  receives  from  such  party  a  written  statement  and  accompanying  documentation 
demonstrating  that: 

(A)  The  party  requesting  such  information  has  made  a  good  faith  attempt  to  provide 
written  notice  to  the  individual  (or,  if  the  individual’s  location  is  unknown,  to  mail 
a  notice  to  the  individual’s  last  known  address); 

(B)  The  notice  included  sufficient  information  about  the  litigation  or  proceeding  in 
which  the  protected  health  information  is  requested  to  permit  the  individual  to  raise 
an  objection  to  the  court  or  administrative  tribunal;  and 

(C)  The  time  for  the  individual  to  raise  objections  to  the  court  or  administrative  tri¬ 
bunal  has  elapsed,  and: 

(1)  No  objections  were  filed;  or 

(2)  All  objections  filed  by  the  individual  have  been  resolved  by  the  court  or  the 
administrative  tribunal  and  the  disclosures  being  sought  are  consistent  with 
such  resolution. 

received-satisfactory-assurances-164.512eliii(pi,p2,  (<A  t),  u)  = 

3m! .  <$>send(p2,Pi,  m7)  A 

contains-evidence-of-attempt-to-sufficiently-notify(m/,pi,p2,  (q,  t),  u)  A 
contains-evidence-of-objection-time-elapsed(m/,pi,p2)  (q,  t),  u)  A 
(contains-evidence-of- no-ob jections(m',pi,p2i  ( q ,  t),u)V 
contains-evidence-of-all-objections-resolved(m/,pi,p2i  (q,  t),u)) 

We  revive  the  use  of  special  purpose  contains-...  predicates.  Our  generic  contains  predicate  requires 
that  the  attribute  be  given  with  respect  to  a  particular  subject  principal.  This  is  not  the  case  here. 

164.512(e)  (l)(iv) 

For  the  purposes  of  paragraph  (e)(1)  (ii)(B)  of  this  section,  a  covered  entity  receives 
satisfactory  assurances  from  a  party  seeking  protected  health  information,  if  the  covered 
entity  receives  from  such  party  a  written  statement  and  accompanying  documentation 
demonstrating  that: 
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(A)  The  parties  to  the  dispute  giving  rise  to  the  request  for  information  have  agreed 
to  a  qualified  protective  order  and  have  presented  it  to  the  court  or  administrative 
tribunal  with  jurisdiction  over  the  dispute;  or 

(B)  The  party  seeking  the  protected  health  information  has  requested  a  qualified  protec¬ 
tive  order  from  such  court  or  administrative  tribunal. 

received-satisfactory- assurances- 164. 5 1 2el  iv  (p  i , p2 ,  ( q ,  t),u)  = 

3m'.  <$>send(p2,Pi,  A 

(contains-evidence-of-parties-agreed-to-protective-order(m/,pi,p2)  (<?,  t),u)V 
contains-evidence-of-request-for-protective-order(m/,pi,p2,  ( q ,  t),u )) 

Again,  we  rely  solely  on  predicates  because  the  requirement  is  for  evidence  of  a  qualified  protective 
order,  not  the  actual  order  itself.  We  assume  that  the  legal  proceeding  purpose  u  captures  all  of 
the  information  regarding  parties  in  the  dispute  and  the  relevant  court. 

164.512(e)  (l)(v) 

For  purposes  of  paragraph  (e)(1)  of  this  section,  a  qualified  protective  order  means, 
with  respect  to  protected  health  information  requested  under  paragraph  (e)(1)(H)  of  this 
section,  an  order  of  a  court  or  of  an  administrative  tribunal  or  a  stipulation  by  the 
parties  to  the  litigation  or  administrative  proceeding  that: 

(A)  Prohibits  the  parties  from  using  or  disclosing  the  protected  health  information  for 
any  purpose  other  than  the  litigation  or  proceeding  for  which  such  information  was 
requested;  and 

(B)  Requires  the  return  to  the  covered  entity  or  destruction  of  the  protected  health 
information  (including  all  copies  made)  at  the  end  of  the  litigation  or  proceeding. 

By  relying  on  predicates  to  check  the  evidence  of  a  protective  order,  and  not  the  existence  of 
the  protective  order  itself,  this  paragraph  seems  unnecessary. 

164.512(e)  (l)(vi) 

Notwithstanding  paragraph  (e)(1)(H)  of  this  section,  a  covered  entity  may  disclose 
protected  health  information  in  response  to  lawful  process  described  in  paragraph  (e)(1)(H) 
of  this  section  without  receiving  satisfactory  assurance  under  paragraph  (e)(1)(H)  (A)  or 
(B)  of  this  section,  if  the  covered  entity  makes  reasonable  efforts  to  provide  notice  to 
the  individual  sufficient  to  meet  the  requirements  of  paragraph  (e)(1)  (Hi)  of  this  section 
or  to  seek  a  qualified  protective  order  sufficient  to  meet  the  requirements  of  paragraph 
(e)(1)  (iv)  of  this  section. 

V9i64.5i2eivi  —  activerole(pi ,  covered- entity)  A 
(' t  G-j-  phi)  A 

(u  &u  judicial-administrative-proceeding)  A 
3m'.  <$>send(p2>Pi,  m')  A 

is-lawful-process(m/,pi,p2>  (<?,  t),u)  A 
made-reasonable-eff ort-to- notify (pi,P2,  (q,  t),u) 
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164.512(e)(2) 

The  provisions  of  this  paragraph  do  not  supersede  other  provisions  of  this  section 
that  otherwise  permit  or  restrict  uses  or  disclosures  of  protected  health  information. 

In  our  opinion,  this  paragraph  simply  requires  that  all  negative  norms  in  this  section  apply  to 
the  positive  norms  from  paragraph  (e).  This  will  automatically  be  the  case  due  to  our  top-level 
formula  and  the  fact  that  the  positive  norms  of  paragraph  (e)  will  be  injected  there. 

164.512(f) 

A  covered  entity  may  disclose  protected  health  information  for  a  law  enforcement 
purpose  to  a  law  enforcement  official  if  the  conditions  in  paragraphs  (f)(1)  through 
(f)(6)  of  this  section  are  met,  as  applicable. 

This  paragraph  serves  to  factor  out  the  constraint  that  paragraphs  (f )  (1 )— (6)  apply  to  disclosures 
for  law  enforcement  purposes  to  a  law  enforcement  official.  Our  norms  in  the  following  paragraphs 
take  this  into  account. 

164.512(f)(1) 

A  covered  entity  may  disclose  protected  health  information: 

164.512(f)(l)(i) 

As  required  by  law  including  laws  that  require  the  reporting  of  certain  types  of  wounds 
or  other  physical  injuries,  except  for  laws  subject  to  paragraph  (b)(1)(H)  or  (c)(l)(i)  of 
this  section;  or 

^i64.5i2fii  —  activerole(pi,  covered- entity)  A 

activerole(p25  law- enforcement- official)  A 
(■ t  £-]-  phi)  A 

(u  &u  law-enforcement)  A 
required-by-law (pi,P2,  (q,  t),u)  A 

_,<£,164.512blii  ^ 

164. 512cli 

164.512(f)(l)(ii) 

In  compliance  with  and  as  limited  by  the  relevant  requirements  of: 

(A)  A  court  order  or  court-ordered  warrant,  or  a  subpoena  or  summons  issued  by  a 
judicial  officer; 

(B)  A  grand  jury  subpoena;  or 

(C)  An  administrative  request,  including  an  administrative  subpoena  or  summons,  a 
civil  or  an  authorized  investigative  demand,  or  similar  process  authorized  under 
law,  provided  that: 

(1)  The  information  sought  is  relevant  and  material  to  a  legitimate  law  enforce¬ 
ment  inquiry; 
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(2)  The  request  is  specific  and  limited  in  scope  to  the  extent  reasonably  practicable 
in  light  of  the  purpose  for  which  the  information  is  sought;  and 

(3)  De-identified  information  could  not  reasonably  be  used. 

^i64.5i2fiii  —  activerole(pi,  covered- entity)  A 

activerole(p2,  law- enforcement- official)  A 
(' t  £-]-  phi)  A 

(u  &u  law-enforcement)  A 
( in-compliance- with-court-order(pi,p2,  (q,t),u)  V 
in-compliance- with-grand-jury-subpoena(pi,p2,  (q,t),u)  V 
( in-compliance- with-administrative-request(pi,p2,  (q,  t),  u)  A 

minimum-necessary  (pi,  p2,  m,  u)  A 
deidentified- information-  not-sufficient  (u))) 

It  seems  that  paragraph  (f)(1)  (ii)  (C)(1)  is  redundant  since  the  opening  of  paragraph  (f)  explicitly 
states  that  the  disclosure  must  be  for  a  law  enforcement  purpose. 

164.512(f)(2) 

Except  for  disclosures  required  by  law  as  permitted  by  paragraph  (f)(1)  of  this  section, 
a  covered  entity  may  disclose  protected  health  information  in  response  to  a  law  enforce¬ 
ment  official’s  request  for  such  information  for  the  purpose  of  identifying  or  locating  a 
suspect,  fugitive,  material  witness,  or  missing  person,  provided  that: 

(i)  The  covered  entity  may  disclose  only  the  following  information: 

(A)  Name  and  address; 

(B)  Date  and  place  of  birth; 

(C)  Social  security  number; 

(D)  ABO  blood  type  and  rh  factor; 

(E)  Type  of  injury; 

(F)  Date  and  time  of  treatment; 

(G)  Date  and  time  of  death,  if  applicable;  and 

(H)  A  description  of  distinguishing  physical  characteristics,  including  height,  weight, 
gender,  race,  hair  and  eye  color,  presence  or  absence  of  facial  hair  (beard  or 
moustache) ,  scars,  and  tattoos. 

(ii)  Except  as  permitted  by  paragraph  (f)(2)(i)  of  this  section,  the  covered  entity  may 
not  disclose  for  the  purposes  of  identification  or  location  under  paragraph  (f)(2) 
of  this  section  any  protected  health  information  related  to  the  individual’s  DNA 
or  DNA  analysis,  dental  records,  or  typing,  samples  or  analysis  of  body  fluids  or 
tissue. 

We  have  the  following  positive  norm: 

(/0i64.5i2f2  —  activerole(pi,  covered- entity)  A 

activerole(p2i  law- enforcement- official)  A 
((t  G-j-  name- and- address)  V 
(t  date-and-place-of-birth)  V 
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(t  G7-  social-security-number)  V 
(t  G7-  ABO -blood-type- and-rh-, factor)  V 
(i  €7-  type- of -injury)  V 
(i  G7-  date- and-time- of -treatment)  V 
(i  G7-  date- and-time- of- death)  V 
(i  G7-  distinguishing-physical-characteristics))  A 
(it  law-enforcement-relevant-identification-or-location(q))  A 
(3m'.  <^send(p2jPi5  m')  A 

is-request-for(m/,pi,p2)  (9,  t),u)) 

Since  paragraph  (f )  (2)  (i)  does  not  mention  DNA  information,  we  believe  that  the  “exception” 
given  in  paragraph  (f)(2)(H)  is  simply  a  statement  of  intent  that  serves  to  underscore  the  fact  that 
DNA  information  is  not  mentioned  in  (f)(2) (i) .  As  a  result,  we  include  no  logical  mention  of  DNA 
information. 

We  also  do  not  understand  the  need  for  the  “except  for  disclosures  required  by  law  as  permitted 
by  paragraph  (f)(1)”  exception.  However,  because  this  paragraph  introduces  no  negative  norms, 
the  disjunctive  character  of  positive  norms  will  do  the  correct  thing:  these  categories  would  only 
apply  in  <^64  512f2-  It  seems  that  the  authors  of  HIPAA  may  be  confusing  “if”  with  “only  if”. 

164.512(f)(3) 

Except  for  disclosures  required  by  law  as  permitted  by  paragraph  (f)(1)  of  this  sec¬ 
tion,  a  covered  entity  may  disclose  protected  health  information  in  response  to  a  law 
enforcement  official’s  request  for  such  information  about  an  individual  who  is  or  is  sus¬ 
pected  to  be  a  victim  of  a  crime,  other  than  disclosures  that  are  subject  to  paragraph  (b) 
or  (c)  of  this  section,  if: 

Note  that  we  will  not  need  to  handle  the  phrase  “other  than  disclosures  that  are  subject  to 
paragraph  (b)  or  (c)  of  this  section”.  Even  though  this  paragraph  requires  things  (essentially 
agreement)  beyond  (b)  and  (c),  these  additional  requirements  need  not  occur  for  disclosures  that 
fit  (b)  or  (c):  by  their  disjunctive  nature,  only  one  positive  norm  needs  to  be  satisfied.  Satisfying 
only  paragraph  (b)  is  enough,  for  example.  This  is  similar  to  our  previous  comment. 

164.512(f)(3)(i) 

The  individual  agrees  to  the  disclosure;  or 

Pi64.5i2f3i  —  activerole(pi,  covered- entity)  A 

activerole(p25  law- enforcement- official)  A 
( belongstorole (7 ,  victim- of- crime)  V 
belongstorole(g,  suspected- victim- of -crime))  A 
(t  £7-  phi)  A 

( u  law-enforcement)  A 
(3m'.  <$>send(p2,Pi,  m')  A 

is-request-for(m',pi,p2j  (q,t),u))  A 
(3m".  <3>send(g,pi, m")  A 

is-agreement-to(m",pi,p2>  (q,  t),  u)) 
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164.512(f)(3)(ii) 


The  covered  entity  is  unable  to  obtain  the  individual’s  agreement  because  of  incapacity 
or  other  emergency  circumstance,  provided  that: 

(A)  The  law  enforcement  official  represents  that  such  information  is  needed  to  deter¬ 
mine  whether  a  violation  of  law  by  a  person  other  than  the  victim  has  occurred, 
and  such  information  is  not  intended  to  be  used  against  the  victim; 

(B)  The  law  enforcement  official  represents  that  immediate  law  enforcement  activity 
that  depends  upon  the  disclosure  would  be  materially  and  adversely  affected  by 
waiting  until  the  individual  is  able  to  agree  to  the  disclosure;  and 

(C)  The  disclosure  is  in  the  best  interests  of  the  individual  as  determined  by  the  covered 
entity,  in  the  exercise  of  professional  judgment. 

^I64.5i2f3ii  —  activerole(pi ,  covered- entity)  A 

activerole(p2,  law-enforcement- official)  A 
(belongstorole(c/,  victim- of- crime)  V 
belongstorole(c/,  suspected-victim- of- crime))  A 
(t  £7-  phi)  A 

(■ u  law-enforcement)  A 

(3 m! .  <^send(p2,Pi,  m')  A 

is-request-for(m/,pi,p2,  (<?,£),«))  A 
belongstorole(<7,  emergency-circumstance)  A 

represents- rieeded-to-deterrnine-crirrie(p2j  Pi , P2,  ( q,t),u )  A 
represents- not-used-against- victim (p2, pi, P2,  (q,t),u)  A 
represents-activity-adversely- aff'ected-l)y- wait (p2 ,p\,p2,  ( q ,  t),u)  A 
believes- in-best-interest {pi,pi,P2,  ( q ,  t),  u) 

Again,  the  represents-...  predicates  and  the  believes-in-best-interest  predicate  rely  on  oracles  for 
their  semantics. 

164.512(f)(4) 

A  covered  entity  may  disclose  protected  health  information  about  an  individual  who 
has  died  to  a  law  enforcement  official  for  the  purpose  of  alerting  law  enforcement  of  the 
death  of  the  individual  if  the  covered  entity  has  a  suspicion  that  such  death  may  have 
resulted  from  criminal  conduct. 

(3i64.5i2f4  —  activerole(pi,  covered- entity)  A 

activerole(p2i  law- enforcement- official)  A 
belongstorole(g,  deceased)  A 
(t  £7-  phi)  A 

(u  &u  suspicious-death-notification(q))  A 
believes-death-may-be-result-of-crime(pi ,  q) 

The  believes-death-may-be-result-of-crime  predicate  also  uses  an  oracle  for  its  semantics. 
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164.512(f)(5) 

A  covered  entity  may  disclose  to  a  law  enforcement  official  protected  health  infor¬ 
mation  that  the  covered  entity  believes  in  good  faith  constitutes  evidence  of  criminal 
conduct  that  occurred  on  the  premises  of  the  covered  entity. 

^164  512(f)(5)  ~  activerole(pi,  covered- entity)  A 

activerole(p2,  law- enforcement- official)  A 
(' t  G7-  phi)  A 

(u  &u  report-possible-crime-on-premises(pi))  A 
believes-evidence-of-crime-on- premises  (pi,  (q,  t)) 


164.512(f)(6) 

Since  §164. 512(f)(6)(H)  constitutes  a  local  negative  norm  on  §  164.512(f) (6) (i) ,  the  norms  are  joined 
with  conjunction,  forming  a  new  positive  norm: 

+  A  +  A  — 

^164.512f6  —  T 164.512f6i  A  ^164 . 512f 6ii 

164.512(f)(6)(i) 

A  covered  health  care  provider  providing  emergency  health  care  in  response  to  a 
medical  emergency,  other  than  such  emergency  on  the  premises  of  the  covered  health 
care  provider,  may  disclose  protected  health  information  to  a  law  enforcement  official  if 
such  disclosure  appears  necessary  to  alert  law  enforcement  to: 

(A)  The  commission  and  nature  of  a  crime; 

(B)  The  location  of  such  crime  or  of  the  victim(s)  of  such  crime;  and 

(C)  The  identity,  description,  and  location  of  the  perpetrator  of  such  crime. 

V9i64.5i2f6i  —  activerole(pi,  provider)  A 

activerole(p25  law- enforcement- official)  A 
(t  £7-  phi)  A 

(u  alert- of- crime- commission-location-victims-perpetrator)  A 

providing-emergency- healthcare  (pi,  q)  A 

appears-necessary-to-alert-of-crime-commission- location- victims-perpetrator(pi,p2,  ( q ,  t),  u) 

164.512(f)  (6)  (ii) 

If  a  covered  health  care  provider  believes  that  the  medical  emergency  described  in 
paragraph  (f)(6)(i)  of  this  section  is  the  result  of  abuse,  neglect,  or  domestic  violence  of 
the  individual  in  need  of  emergency  health  care,  paragraph  (f)(6)(i)  of  this  section  does 
not  apply  and  any  disclosure  to  a  law  enforcement  official  for  law  enforcement  purposes 
is  subject  to  paragraph  (c)  of  this  section. 

99i64.5i2f6ii  —  ~1believes-emergency-result-of-abuse- neglect-domestic- violence(pi ,  q) 

Note  that  we  have  changed  “a  covered  healthcare  provider”  to  refer  to  the  covered  healthcare 
provider  of  the  potential  disclosure.  We  believe  that  this  is  the  intended  or  implied  meaning. 
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164.512(g) 

164.512(g)(1) 

A  covered  entity  may  disclose  protected  health  information  to  a  coroner  or  medical 
examiner  for  the  purpose  of  identifying  a  deceased  person,  determining  a  cause  of  death, 
or  other  duties  as  authorized  by  law.  A  covered  entity  that  also  performs  the  duties  of 
a  coroner  or  medical  examiner  may  use  protected  health  information  for  the  purposes 
described  in  this  paragraph. 

^i64.5i2gi  —  activerole(pi,  covered- entity)  A 
(activerole(j>2,  coroner)  V 
activerole(/>2,  medical- examiner))  A 
belongstorole(c/,  deceased)  A 
(t  £7-  phi)  A 

((u  £u  identification (q))  V 
( u  £77  determining-cause-of-death(q))  V 
authorized-by-law(/>2;  u)) 

We  have  taken  the  liberty  of  parameterizing  the  identification  and  cause  of  death  purposes  by  the 

deceased  individual  q  to  more  tightly  reflect  what  we  believe  to  be  the  intended  meaning. 

164.512(g)(2) 

A  covered  entity  may  disclose  protected  health  information  to  funeral  directors,  con¬ 
sistent  with  applicable  law,  as  necessary  to  carry  out  their  duties  with  respect  to  the 
decedent.  If  necessary  for  funeral  directors  to  carry  out  their  duties,  the  covered  entity 
may  disclose  the  protected  health  information  prior  to,  and  in  reasonable  anticipation 
of,  the  individual’s  death. 

^I64.5i2g2  —  activerole(pi,  covered- entity)  A 
activerole(p2i  funeral-  director)  A 
(belongstorole(g,  deceased)  V 
(Oily,  {x  >  y-c)  A 

belongstorole(c/,  deceased))  A 
ear ly-disclosure- necessary (pi,p2,  (q,  t),  u)))  A 

(t  £7-  phi)  A 

(it  £72  funeral- director- duties (q))  A 
necessary- for-duties(pi,p2)  (q,  t),  u) 

Note  that  we  use  the  operator  to  formalize  disclosure  prior  to  death,  where  c  stands  for  a 

reasonable  interval  of  time. 

164.512(h) 

A  covered  entity  may  use  or  disclose  protected  health  information  to  organ  procure¬ 
ment  organizations  or  other  entities  engaged  in  the  procurement,  banking,  or  transplan¬ 
tation  of  cadaveric  organs,  eyes,  or  tissue  for  the  purpose  of  facilitating  organ,  eye  or 
tissue  donation  and  transplantation. 
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V9i64.5i2h  —  activerole(pi,  covered- entity)  A 

(activerole(p2,  organ-procurement- organization)  V 

activerole(p2)  engaged-in-procurement-banking-transplantation-of-organs-eyes-tissue))  A 
(t  £7-  phi)  A 

(u  £u  facilitate- organ- eye-tissue- donation-transplantation) 

Note  that,  in  accordance  with  a  literal  reading  of  this  paragraph,  this  norm  allows  arbitrary  pro¬ 
tected  health  information  of  any  individual  to  be  disclosed  to  transplant  organizations.  In  our 
interpretation,  the  principle  of  minimum  necessary  disclosure  for  the  purpose  of  facilitating  organ 
donation  and  transplantation  will  appropriately  constrain  the  particular  classes  of  information  that 
may  be  disclosed. 

164.512(i) 

164.512(i)(l) 

A  covered  entity  may  use  or  disclose  protected  health  information  for  research,  re¬ 
gardless  of  the  source  of  funding  of  the  research,  provided  that: 

(i)  Board  approval  of  a  waiver  of  authorization.  The  covered  entity  obtains  docu¬ 
mentation  that  an  alteration  to  or  waiver,  in  whole  or  in  part,  of  the  individual 
authorization  required  by  §ih f. 508  for  use  or  disclosure  of  protected  health  infor¬ 
mation  has  been  approved  by  either: 

(A)  An  Institutional  Review  Board  (IRB),  established  in  accordance  with  7  CFR 
lc.107,  10  CFR  745.107,  U  CFR  1230.107,  15  CFR  27.107,  16  CFR  1028.107, 

21  CFR  56.107,  22  CFR  225.107,  24  CFR  60.107,  28  CFR  46.107,  32  CFR 
219.107,  34  CFR  97.107,  38  CFR  16.107,  40  CFR  26.107,  45  CFR  46.107, 

45  CFR  690.107,  or  49  CFR  11.107;  or 

(B)  A  privacy  board  that: 

(1)  Has  members  with  varying  backgrounds  and  appropriate  professional  com¬ 
petency  as  necessary  to  review  the  effect  of  the  research  protocol  on  the 
individual ’s  privacy  rights  and  related  interests; 

(2)  Includes  at  least  one  member  who  is  not  affiliated  with  the  covered  entity, 
not  affiliated  with  any  entity  conducting  or  sponsoring  the  research,  and 
not  related  to  any  person  who  is  affiliated  with  any  of  such  entities;  and 

(3)  Does  not  have  any  member  participating  in  a  review  of  any  project  in  which 
the  member  has  a  conflict  of  interest. 

(ii)  Reviews  preparatory  to  research.  The  covered  entity  obtains  from  the  researcher 
representations  that: 

(A)  Use  or  disclosure  is  sought  solely  to  review  protected  health  information  as 
necessary  to  prepare  a  research  protocol  or  for  similar  purposes  preparatory  to 
research; 

(B)  No  protected  health  information  is  to  be  removed  from  the  covered  entity  by 
the  researcher  in  the  course  of  the  review;  and 

(C)  The  protected  health  information  for  which  use  or  access  is  sought  is  necessary 
for  the  research  purposes. 

(in)  Research  on  decedent’s  information.  The  covered  entity  obtains  from  the  researcher: 
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(A)  Representation  that  the  use  or  disclosure  sought  is  solely  for  research  on  the 
protected  health  information  of  decedents; 

(B)  Documentation,  at  the  request  of  the  covered  entity,  of  the  death  of  such  indi¬ 
viduals;  and 

(C)  Representation  that  the  protected  health  information  for  which  use  or  disclosure 
is  sought  is  necessary  for  the  research  purposes. 

We  have  the  positive  norm: 

^164 .5i2ii  —  activerole(pi,  covered- entity)  A 
activerole(p2,  researcher)  A 
belongstorole(g,  deceased)  A 
(t  £7-  phi)  A 
(u  &u  research)  A 

(3p3,m'.  (activerole(p3,  institutional-review-board  (pi))  V 
activerole(p3,  privacy- board(p\,p2,  ( q,t),u )))  A 
^ send (p, 3, pi ,  rn')  A 

ismpproval-of- authorization- waiver (m',p3,pi,p2,  ( q ,  t),u))  A 
represents-disclosure-solely-for-research-preparation(p2,pi,p2,  (■ q ,  t),u)  A 
represents-no-information-removed-during-review(p2,pi,P2,  ( q ,  t),u)  A 
represents-information- necessary- for-research(p2,pi,p2,  (■ q ,  t),u)  A 
represents-disclosure-solely-for-decedent-research(p2,pi,p2,  ( q ,  t),  u)  A 
represents-disclosure-necessary-for-research(p2,pi,p2,  ( q ,  t),u) 

and  the  constraint: 

activerole(p3,  privacy- board (p\,p2,  ( q,t),u ))  =$■ 

is-varied-and-competent-to-review-research-effect-on-privacy(p3,pi,p2,  ( q ,  t),u)  A 
at-least-one-member-not-affiliated-covered-entity-or-sponsor(p3,pi,p2,  ( q ,  t),  u)  A 
has- no-conflict-of- interest (p3,pi,p2,  (q,  t),u) 

Note  that  we  leave  the  institutional-review-board  role  unconstrained  since  it  will  be  defined  by  the 
other  relevant  laws.  We  also  have  constrained  privacy-board  as  in  paragraph  (i)(B).  Finally,  the 
represents-...  predicates  rely  on  oracles  to  give  their  semantics. 

164.512(i)(2) 

For  a  use  or  disclosure  to  be  permitted  based  on  documentation  of  approval  of  an 
alteration  or  waiver,  under  paragraph  (i)(l)(i)  of  this  section,  the  documentation  must 
include  all  of  the  following: 

We  have  the  following  macro  which  describes  the  conditions  under  which  a  message  is  a  valid 
approval  of  a  waiver  of  authorization: 

is-approval-of-authorization- waiver (m/,p3,pi,p2,  ( q,t),u )  = 

is-approval-of-authorization-waiver-164.512i2i(m/,p3,pi,p2,  ( q ,  t),  u)  A 
is-approval-of-authorization-waiver-164.512i2ii(m/,p3,pi,p2,  ( q ,  t),  u)  A 
is-approval-of-authorization-waiver-164.512i2iii(m/,p3,pi,p2,  (q,  t),u)  A 
is-approval-of-authorization-waiver-164.512i2iv(m/,p3,pi,p2,  ( q ,  t),  u)  A 
is-approval-of-authorization-waiver-164.512i2v(m/,p3,pi,p2,  ( q ,  t),u) 


164.512(i)(2)(i) 

Identification  and  date  of  action.  A  statement  identifying  the  IRB  or  privacy  board 
and  the  date  on  which  the  alteration  or  waiver  of  authorization  was  approved; 

We  have  another  macro: 

is-approval-of-authorization- waiver-164. 512i2i(m/, p3, pi , p2,  ( q ,  t),u)  = 
contains-statement-identifying-privacy-board(m/,  pf)  A 
3r:time.  contains-date-of-approval(m/,  r) 

164.512(i)(2)(ii) 

Waiver  criteria.  A  statement  that  the  IRB  or  privacy  board  has  determined  that  the 
alteration  or  waiver,  in  whole  or  in  part,  of  authorization  satisfies  the  following  criteria: 

(A)  The  use  or  disclosure  of  protected  health  information  involves  no  more  than  a 
minimal  risk  to  the  privacy  of  individuals,  based  on,  at  least,  the  presence  of  the 
following  elements: 

(1)  An  adequate  plan  to  protect  the  identifiers  from  improper  use  and  disclosure; 

(2)  An  adequate  plan  to  destroy  the  identifiers  at  the  earliest  opportunity  consistent 
with  conduct  of  the  research,  unless  there  is  a  health  or  research  justification 
for  retaining  the  identifiers  or  such  retention  is  otherwise  required  by  law;  and 

(3)  Adequate  written  assurances  that  the  protected  health  information  will  not  be 
reused  or  disclosed  to  any  other  person  or  entity,  except  as  required  by  law, 
for  authorized  oversight  of  the  research  study,  or  for  other  research  for  which 
the  use  or  disclosure  of  protected  health  information  would  be  permitted  by  this 
subpart; 

(B)  The  research  could  not  practicably  be  conducted  without  the  waiver  or  alteration; 
and 

(C)  The  research  could  not  practicably  be  conducted  without  access  to  and  use  of  the 
protected  health  information. 

And  another  macro: 

is-approval-of-authorization- waiver-164. 512i2ii(m/,p3,pi,p2,  (<?,  t),u)  = 
contains-statement-of-minimal-risk(m/,p3,pi,p2,  ( q ,  t),u)  A 
contains-statement-of-protection-plan-is-adequate(m',p3,pi,p2,  (q,  t),u )  A 
contains-statement-of-destruction-plan-is-adequate(m/,p3,pi,p2,  ( q ,  t),u)  A 
contains-statenient-of-assurances-of-no-redisclosure-are-adequate(m/,p3,pi  ,p2;  (<?,  t),  u)  A 
contains-statement-of- waiver- is- necessary (m',p3,pi,p2i  (<?,  t),u)  A 
contains-statement-of-phi-is-necessary(m/,p3,pi,p2>  (q,  t),u ) 

164.512(i)(2)(iii) 

Protected  health  information  needed.  A  brief  description  of  the  protected  health 
information  for  which  use  or  access  has  been  determined  to  be  necessary  by  the  IRB  or 
privacy  board  has  determined,  pursuant  to  paragraph  (i)(2)(ii)(C)  of  this  section; 

is-approval-of-authorization-waiver-164.512i2iii(m',p3,pi,p2,  (<?,  t),u)  = 
contains-description-of-phi-necessary(m/,  ( q ,  t)) 
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164.512(i)(2)(iv) 


Review  and  approval  procedures.  A  statement  that  the  alteration  or  waiver  of  au¬ 
thorization  has  been  reviewed  and  approved  under  either  normal  or  expedited  review 
procedures,  as  follows: 

(A)  An  IRB  must  follow  the  requirements  of  the  Common  Rule,  including  the  normal 
review  procedures  (7  CFR  lc.  108(b),  10  CFR  745.108(b),  14  CFR  1230.108(b), 
15  CFR  27.108(b),  16  CFR  1028.108(b),  21  CFR  56.108(b),  22  CFR  225.108(b), 
24  CFR  60.108(b),  28  CFR  46.108(b),  32  CFR  219.108(b),  34  CFR  97.108(b), 
38  CFR  16.108(b),  40  CFR  26.108(b),  45  CFR  46.108(b),  45  CFR  690.108(b), 
or  49  CFR  11.108(b))  or  the  expedited  review  procedures  (7  CFR  lc.110,  10  CFR 
745.IIO,  14  CFR  1230.110,  15  CFR  27.110,  16  CFR  1028.110,  21  CFR  56.110,  22 
CFR  225.110,  24  CFR  60.110,  28  CFR  46.110,  32  CFR  219.110,  34  CFR  97.110, 
38  CFR  16.110,  40  CFR  26.110,  45  CFR  46.110,  45  CFR  690.110,  or  49  CFR 
11.110); 

(B)  A  privacy  board  must  review  the  proposed  research  at  convened  meetings  at  which  a 
majority  of  the  privacy  board  members  are  present,  including  at  least  one  member 
who  satisfies  the  criterion  stated  in  paragraph  (i)(l)(i)  (B)(2)  of  this  section,  and 
the  alteration  or  waiver  of  authorization  must  be  approved  by  the  majority  of  the 
privacy  board  members  present  at  the  meeting,  unless  the  privacy  board  elects  to 
use  an  expedited  review  procedure  in  accordance  with  paragraph  (i)(2)(iv)(C)  of 
this  section; 

(C)  A  privacy  board  may  use  an  expedited  review  procedure  if  the  research  involves  no 
more  than  minimal  risk  to  the  privacy  of  the  individuals  who  are  the  subject  of 
the  protected  health  information  for  which  use  or  disclosure  is  being  sought.  If  the 
privacy  board  elects  to  use  an  expedited  review  procedure,  the  review  and  approval 
of  the  alteration  or  waiver  of  authorization  may  be  carried  out  by  the  chair  of  the 
privacy  board,  or  by  one  or  more  members  of  the  privacy  board  as  designated  by 
the  chair;  and 

is-approval-of-authorization- waiver-164. 512i2iv(m/,p3,pi,p2,  ( q ,  t),  u)  = 

contains-statement-of-review-and-approval-under-...(m/,p3,pi,p2i  ( q ,  t),u)  A 
(contains-statement-of-adherence-to-regular-review(m/,p3,pi,p2,  (q,  t),u )  V 
contains-statement-of-adherence-to-expedited-review(?n',p3,pi,p2j  {q,  t),  u)) 

164.512(i)(2)(v) 

Required  signature.  The  documentation  of  the  alteration  or  waiver  of  authorization 
must  be  signed  by  the  chair  or  other  member,  as  designated  by  the  chair,  of  the  IRB  or 
the  privacy  board,  as  applicable. 

is-approval-of-authorization-waiver-164.512i2v(m/,p3,pi,p2>  ( q ,  t),u)  = 

contains-signature(m/ ,  P3 ) 
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164.512(j) 

164.5120) (1) 

A  covered  entity  may,  consistent  with  applicable  law  and  standards  of  ethical  conduct, 
use  or  disclose  protected  health  information,  if  the  covered  entity,  in  good  faith,  believes 
the  use  or  disclosure: 

164.5120) (l)(i) 

(A)  Is  necessary  to  prevent  or  lessen  a  serious  and  imminent  threat  to  the  health 
or  safety  of  a  person  or  the  public;  and 

(B)  Is  to  a  person  or  persons  reasonably  able  to  prevent  or  lessen  the  threat,  including 
the  target  of  the  threat;  or 

^i64.5i2jii  —  activerole(pi,  covered- entity)  A 
(t  G7-  phi )  A 

(u  &u  lessen-health-threat )  A 

consistent- with-applicable-law(pi,p2 ,  (q,  t),u)  A 

believes- necessary-to-lessen-health-threat(pi,pi,p2,  (q,  t),u)  A 

believes-can-lessen-threat (pi  ,P2,u) 

As  usual,  the  new  predicates  are  given  semantics  by  oracles. 

164.5120) (l)(ii) 

Is  necessary  for  law  enforcement  authorities  to  identify  or  apprehend  an  individual: 

164.512Q)  (1)  (ii)  (A) 

Because  of  a  statement  by  an  individual  admitting  participation  in  a  violent  crime 
that  the  covered  entity  reasonably  believes  may  have  caused  serious  physical  harm  to  the 
victim;  or 

We  have  the  positive  norm: 

^i64.5i2jiiiA  —  activerole(pi ,  covered- entity)  A 

activerole(p2,  law- enforcement- official)!!!  A 
(' t  €j-  phi)  A 

(u  £u  identify- apprehend (q))  A 
consistent-with-applicable-law(pi,p2;  (q,  t),  u)  A 
(3m,'.  <$>send(g,pi,  ml)  A 

is-admission-of-crime(?n/)  A 
believes-crime-caused-serious-harm(pi,  ml)) 

Although  it  is  not  stated  explicitly  in  the  text,  we  believe  that  this  paragraph  applies  only  when  the 
information  is  disclosed  to  a  law  enforcement  official.  Therefore,  we  have  constrained  the  recipient 
appropriately  in  our  norm. 

As  we  will  see  in  the  following  paragraphs,  local  negative  norms  constrain  this  positive  norm. 
Therefore,  we  form  the  new  positive  norm: 
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+  A  +  A 

^164.512jliiA'  —  ^164. 512j  liiA  A 

(^164.512^21  ^  </?164.512j2ii  ^  ^164.512j3) 

164.512(j)(l)(ii)(B) 

Where  it  appears  from  all  the  circumstances  that  the  individual  has  escaped  from  a 
correctional  institution  or  from  lawful  custody,  as  those  terms  are  defined  in  §16f.501. 

We  have  the  positive  norm: 

9Ji64.5i2jiiiB  —  activerole(pi ,  covered- entity)  A 

activerole(p2i  law- enforcement- official )???  A 
(t  Gy-  phi)  A 

(u  identify- apprehend (q))  A 

consistent-with-applicable-law(pi , p2,  ( q ,  t),u)  A 
believes-escaped-lawful-custody  (pi ,  q) 

Again,  we  believe  that  the  intended  recipient  is  a  law  enforcement  official. 

164.512(j)(2) 

A  use  or  disclosure  pursuant  to  paragraph  (j)(l)(ii)(A)  of  this  section  may  not  be 
made  if  the  information  described  in  paragraph  (j)(l)(ii)(A)  of  this  section  is  learned 
by  the  covered  entity: 

164.512(j)(2)(i) 

In  the  course  of  treatment  to  affect  the  propensity  to  commit  the  criminal  conduct 
that  is  the  basis  for  the  disclosure  under  paragraph  (j)(l)(ii)(A)  of  this  section,  or 
counseling  or  therapy;  or 

<£>i64.5i2j2i  =  ^learned- while-treating-propensity- for-crime(/ii ,  ( q,t )) 

164.512(j)(2)(ii) 

Through  a  request  by  the  individual  to  initiate  or  to  be  referred  for  the  treatment, 
counseling,  or  therapy  described  in  paragraph  (j)(2)(i)  of  this  section. 

¥3i64.5i2j2ii  ~  _'learned-through-request-for-treatment-of-propensity-for-crime(pi ,  ( q ,  t)) 

164.512(j)(3) 

A  disclosure  made  pursuant  to  paragraph  (j)(l)(ii)(A)  of  this  section  shall  contain 
only  the  statement  described  in  paragraph  (j)(l)(ii)(A)  of  this  section  and  the  protected 
health  information  described  in  paragraph  (f)(2)(i)  of  this  section. 

We  have  the  following  negative  norm,  which  is  local  to  paragraph  (j) (1) (ii) (A) : 
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^164.512j3 


=  (3m'.  <9>send(g,pi,  m')  A 

is-admission-of-crime(?n/,  q )  A 
contains-msg(m,  m!)  A 
contains^',  q,  t ))  V 
(t  £7-  name- and- address)  V 
(t  £7-  date- and-place- of -birth )  V 
(t  €7-  social-security-number)  V 
(t  £7-  ABO-blood-type-and-rh- factor)  V 
(i  £7-  type- of -injury)  V 
(t  £7-  date- and-time- of -treatment)  V 
(i  £7-  date- and-time- of- death)  V 
(i  £7-  distinguishing-physical-characteristics) 


Although  this  paragraph  refers  back  to  paragraph  (f)(2) (i),  it  does  not  do  so  with  the  intent  of 
referencing  the  permitted  disclosure  there.  Instead,  the  reference  is  to  the  list  of  allowable  attribute 
classes.  Therefore,  we  choose  to  copy  those  attributes  here. 


164.512(j)(4) 

A  covered  entity  that  uses  or  discloses  protected  health  information  pursuant  to  para¬ 
graph  (j)(l)  of  this  section  is  presumed  to  have  acted  in  good  faith  with  regard  to  a  belief 
described  in  paragraph  (j)(l)(i)  or  (ii)  of  this  section,  if  the  belief  is  based  upon  the 
covered  entity’s  actual  knowledge  or  in  reliance  on  a  credible  representation  by  a  person 
with  apparent  knowledge  or  authority. 

We  believe  that  this  paragraph  is  making  a  “meta-level”  comment  that  is  applicable  only  if 
legal  complaints  are  brought  against  the  covered  entity  for  an  alleged  failure  to  act  in  good  faith. 
Consequently,  we  do  not  include  any  norms  here. 

164.512(k) 

164.512(k)(l) 

164.512(k)(l)(i) 

A  covered  entity  may  use  and  disclose  the  protected  health  information  of  individuals 
who  are  Armed  Forces  personnel  for  activities  deemed  necessary  by  appropriate  military 
command  authorities  to  assure  the  proper  execution  of  the  military  mission,  if  the  ap¬ 
propriate  military  authority  has  published  by  notice  in  the  FEDERAL  REGISTER  the 
following  information: 

(A)  Appropriate  military  command  authorities;  and 

(B)  The  purposes  for  which  the  protected  health  information  may  be  used  or  disclosed. 

We  have  the  positive  norm: 

VJi64.5i2kii  —  activerole(pi,  covered- entity)  A 

belongstorole(g,  armed-forces-personnel)  A 
(t  £7-  phi)  A 
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(3p3-  deemed- necessary- for-mission(p3, pi, p2;  (<?,£),  it)  A 

published-in-FR-command-authority-for-disclosure(p3,pi,p2,  ( q ,  t),u)  A 
published-in-FR-purpose-for-disclosure(n,pi,p2,  (9,  t),u)) 

As  usual,  the  new  predicates  depend  on  oracles. 

164.512(k)(l)(ii) 

A  covered  entity  that  is  a  component  of  the  Departments  of  Defense  or  Transporta¬ 
tion  may  disclose  to  the  Department  of  Veterans  Affairs  (DVA)  the  protected  health 
information  of  an  individual  who  is  a  member  of  the  Armed  Forces  upon  the  separation 
or  discharge  of  the  individual  from  military  service  for  the  purpose  of  a  determination  by 
DVA  of  the  individual’s  eligibility  for  or  entitlement  to  benefits  under  laws  administered 
by  the  Secretary  of  Veterans  Affairs. 

^i64.5i2kiii  —  activerole(pi ,  covered- entity)  A 

belongstorole(pi,  component-of-DoD-or-DoT )  A 
activerole(p2;  DVA)  A 

<3>belongstorole(g,  armed-forces-member )  A 
(' t  Ep  phi )  A 

(u  &u  eligibility-determination-for-veterans-benefits ) 

Note  the  use  of  the  temporal  <3>  operator  on  belongstorole  to  ensure  that  the  individual  was  a 
member  of  the  Armed  Forces. 

Also,  it  is  not  clear  to  us  whether  there  is  (or  should  be)  a  distinction  between  the  terms 
“member”  and  “personnel”  as  used  in  paragraphs  (k)  (1 )  (i)  and  (ii).  We  choose  to  follow  the 
vocabulary  used  in  law. 

164.512(k)(l)(iii) 

A  covered  entity  that  is  a  component  of  the  Department  of  Veterans  Affairs  may 
use  and  disclose  protected  health  information  to  components  of  the  Department  that 
determine  eligibility  for  or  entitlement  to,  or  that  provide,  benefits  under  the  laws  ad¬ 
ministered  by  the  Secretary  of  Veterans  Affairs. 

We  have  the  positive  norm: 

<Pi64.512kii.ii  —  activerole(pi ,  covered- entity)  A 

activerole(pi,  component- of- DVA)  A 
activerole(p2i  component- of- DVA)  A 
(t  Ep  phi)  A 

((u  eligibility-determination-for-veterans-benefits)  V 
(u  provision-of-veterans-benefits)) 

Because  this  paragraph  makes  no  mention  of  q’s  role,  we  leave  q's  role  unconstrained.  It  is  possible 
that  this  paragraph  intends  that  q  is  a  former  member  of  the  Armed  Forces,  as  is  explicitly  required 
in  (k) (1) (ii).  However,  we  choose  to  be  conservative  and  follow  the  text  literally. 
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164.512  (k)(l)(iv) 


A  covered  entity  may  use  and  disclose  the  protected  health  information  of  individu¬ 
als  who  are  foreign  military  personnel  to  their  appropriate  foreign  military  authority  for 
the  same  purposes  for  which  uses  and  disclosures  are  permitted  for  Armed  Forces  per¬ 
sonnel  under  the  notice  published  in  the  FEDERAL  REGISTER  pursuant  to  paragraph 
(k)(l)(i)  of  this  section. 

V9i64.5i2kiiv  —  activerole(pi ,  covered- entity)  A 

belongstorole((7,  foreign-military-personnel)  A 
(t  £7-  phi)  A 

(3p3-  deemed-necessary-for-mission(p3,pi,p2>  ( q,t),u )  A 

published- in-FR-command-authority-for-disclosure(p3,pi,p2 ,  ((/,  t),u)  A 
published- in-FR- purpose- for-disclosure('u,pi,p2,  (<?,  t),  u)) 

Note  that  this  is  the  same  as  paragraph  (k)  (1)  (i) ,  with  the  exception  of  q’ s  role,  which  is  now 

foreign-military-personnel. 

164.512(k)  (2) 

A  covered  entity  may  disclose  protected  health  information  to  authorized  federal  of¬ 
ficials  for  the  conduct  of  lawful  intelligence,  counter-intelligence,  and  other  national 
security  activities  authorized  by  the  National  Security  Act  (50  U.S.C.  fOl,  et  seq.)  and 
implementing  authority  (e.g.,  Executive  Order  12333). 

We  have  the  positive  norm: 

¥3i64.5i2k2  —  activerole(pi,  covered- entity)  A 
(t  £7-  phi)  A 

(u  £u  national-security-activities)  A 
NS  A-authorized- recipient  (p2 )  A 
NSA-authorized-purpose(u) 

164.512(k)  (3) 

A  covered  entity  may  disclose  protected  health  information  to  authorized  federal  offi¬ 
cials  for  the  provision  of  protective  services  to  the  President  or  other  persons  authorized 
by  18  U.S.C.  3056,  or  to  foreign  heads  of  state  or  other  persons  authorized  by  22  U.S.C. 
2709(a)(3),  or  to  for  the  conduct  of  investigations  authorized  by  18  U.S.C.  871  and  879. 

99i64.5i2k3  —  activerole(pi,  covered- entity)  A 

activerole(p2i  authorized- federal- official)  A 
(t  £7-  phi)  A 

((3^3-  (u  &u  provision-of -protective- servicesfpf))  A 

(authorized-to-receive-protection-18USC3056(p3)  V 
authorized-to-receive-protection-22USC2709a3(p3)))  V 
(u  conduct-investigations-18USC871-and-879)) 
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164.512(k)(4) 

A  covered  entity  that  is  a  component  of  the  Department  of  State  may  use  protected 
health  information  to  make  medical  suitability  determinations  and  may  disclose  whether 
or  not  the  individual  was  determined  to  be  medically  suitable  to  the  officials  in  the 
Department  of  State  who  need  access  to  such  information  for  the  following  purposes: 

(i)  For  the  purpose  of  a  required  security  clearance  conducted  pursuant  to  Executive 
Orders  10450  and  12698; 

(ii)  As  necessary  to  determine  worldwide  availability  or  availability  for  mandatory  ser¬ 
vice  abroad  under  sections  101(a)(4)  and  504  of  the  Foreign  Service  Act;  or 

(in)  For  a  family  to  accompany  a  Foreign  Service  member  abroad,  consistent  with  sec¬ 
tion  101(b)(5)  and  904  of  the  Foreign  Service  Act. 

^I64.5i2k4  —  activerole(pi,  covered- entity)  A 

activerole(pi,  component- of-DoS)  A 
activerole(p2i  DoS-official)  A 
(t  6  j-  medical- suitability (it))  A 
((it  £u  security-clearance-EO-10450-and-12698)  V 
(■ it  £u  determine-availability-for-foreign-service-FSA-101a4-and-504)  V 
(it  &u  determine-family-accompaniment-FSA-101b5-and-904)) 

164.512(k)(5) 

164.512(k)(5)(i) 

A  covered  entity  may  disclose  to  a  correctional  institution  or  a  law  enforcement  offi¬ 
cial  having  lawful  custody  of  an  inmate  or  other  individual  protected  health  information 
about  such  inmate  or  individual,  if  the  correctional  institution  or  such  law  enforcement 
official  represents  that  such  protected  health  information  is  necessary  for: 

(A)  The  provision  of  health  care  to  such  individuals; 

(B)  The  health  and  safety  of  such  individual  or  other  inmates; 

(C)  The  health  and  safety  of  the  officers  or  employees  of  or  others  at  the  correctional 
institution; 

(D)  The  health  and  safety  of  such  individuals  and  officers  or  other  persons  responsible 
for  the  transporting  of  inmates  or  their  transfer  from  one  institution,  facility,  or 
setting  to  another; 

(E)  Law  enforcement  on  the  premises  of  the  correctional  institution;  and 

(F)  The  administration  and  maintenance  of  the  safety,  security,  and  good  order  of  the 
correctional  institution. 

99i64.5i2k5i  —  activerole(pi ,  covered- entity)  A 

(activerole(p2,  correctional-institution)  V 
activerole(p2,  law-enforcement- official))  A 
belongstorole(g,  in-lawful- custody (P2))  A 
(t  £-]-  phi)  A 

represeiits-riecessary-for-providing-healthcare(p2  ,p\,  P2 ,  ( q ,  t),  it)  A 
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represents- necessary- for- health-safety-of-inmates(p2, Pi  1P2,  (q,  t),u)  A 
represents-necessary-for-health-safety-of-employees(p2,Pi  ,7^2,  ( q ,  t),u )  A 
represents-necessary-for-health-safety-of-transportation-officers (p2 ,p\,p2,  (q,  t),u)  A 
represents-necessary-for-law-enforcement-on-premises(p2,pi,7>2,  (q,  t),  u)  A 
represents- necessary-for-safety-security-order(7»2 ,  Pi ,  P2,  (q,  t) ,  u) 

164.512(k)(5)(ii) 

A  covered  entity  that  is  a  correctional  institution  may  use  protected  health  infor¬ 
mation  of  individuals  who  are  inmates  for  any  purpose  for  which  such  protected  health 
information  may  he  disclosed 

Because  our  model  does  not  support  usage-based  norms,  we  cannot  handle  this  paragraph.  How¬ 
ever,  given  an  appropriately  extended  model,  we  believe  that  it  would  be  relatively  straightforward 
to  include  modified  versions  of  the  corresponding  disclosure-based  norms. 

164.512(k)(5)(iii) 

For  the  purposes  of  this  provision,  an  individual  is  no  longer  an  inmate  when  released 
on  parole,  probation,  supervised  release,  or  otherwise  is  no  longer  in  lawful  custody. 

Given  that  we  used  the  role  in-lawful- custody (7*2)  in  paragraph  (k)  (5)  (i) ,  this  paragraph  seems 
to  suggest  that  -ibelongstorole^,  in-lawful- custody (732))  characterizes  the  fact  that  an  individual 
is  not  in  lawful  custody.  This  seems  completely  trivial,  and  so  we  do  not  include  any  norms  or 
constraints  here. 

164.512(k)(6) 

164.512(k)(6)(i) 

A  health  plan  that  is  a  government  program  providing  public  benefits  may  disclose 
protected  health  information  relating  to  eligibility  for  or  enrollment  in  the  health  plan 
to  another  agency  administering  a  government  program  providing  public  benefits  if  the 
sharing  of  eligibility  or  enrollment  information  among  such  government  agencies  or  the 
maintenance  of  such  information  in  a  single  or  combined  data  system  accessible  to  all 
such  government  agencies  is  required  or  expressly  authorized  by  statute  or  regulation. 

V9i64.5i2k6i  —  activerole(pi ,  health-plan )  A 

activerole(/u ,  govemment-public-benefits-program )  A 
activerole(p2,  govemment-public-benefits-program )  A 
(t  £7-  phi )  A 

relates-to-eligibility-enrollment-in-health-plan((g,  t),pi)  A 
disclosure- required-or-authorized-by-statute-or-regulation(pi,p2,  ( q ,  t),u) 
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164.512(k)(6)(ii) 

A  covered  entity  that  is  a  government  agency  administering  a  government  program 
providing  public  benefits  may  disclose  protected  health  information  relating  to  the  pro¬ 
gram  to  another  covered  entity  that  is  a  government  agency  administering  a  government 
program  providing  public  benefits  if  the  programs  serve  the  same  or  similar  populations 
and  the  disclosure  of  protected  health  information  is  necessary  to  coordinate  the  covered 
functions  of  such  programs  or  to  improve  administration  and  management  relating  to 
the  covered  functions  of  such  programs. 

V:,i64.5i2k6ii  —  3^3, Pi-  activerole(pi ,  covered- entity)  A 

activerole(pi,  government-agency-administering{pfi))  A 
activerole(/>2,  covered- entity)  A 

activerole(/>2,  government- agency- administering (pfi))  A 
belongstorole(p3,  government-public-benefits-program)  A 
belongstorole(p4,  government-public-benefits-program)  A 
(t  £7-  phi)  A 

relates-to-program((g,  t),ps)  A 
serve- similar-populations  (jg3 .  pa)  A 
(necessary- for-coordination(p3,p4,pi,p2j  (q,  t),  u)  V 
necessary- for-improve-management (pn .p4.p1, P2 ,  ( q ,  t),u)) 

164.512(1) 

A  covered  entity  may  disclose  protected  health  information  as  authorized  by  and  to 
the  extent  necessary  to  comply  with  laws  relating  to  workers’  compensation  or  other 
similar  programs,  established  by  law,  that  provide  benefits  for  work-related  injuries  or 
illness  without  regard  to  fault. 

W~64.5i2i  —  activerole(pi,  covered- entity)  A 
(t  £7-  phi)  A 

authorized- and- necessary-for-workers-compensation-laws(pi,p2,  (9,  t),  u) 


4.7  §164.514  Other  requirements  relating  to  uses  and  disclosures 

of  protected  health  information. 

164.514(a) 

Health  information  that  does  not  identify  an  individual  and  with  respect  to  which 
there  is  no  reasonable  basis  to  believe  that  the  information  can  be  used  to  identify  an 
individual  is  not  individually  identifiable  health  information. 

This  paragraph  appears  to  state  an  intent  and  so  requires  no  formalization. 
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164.514(b) 

A  covered  entity  may  determine  that  health  information  is  not  individually  identifi¬ 
able  health  information  only  if: 

We  require  the  following  constraint: 

—i(t  £7"  phi)  =4> 

<^164.514bl  V 
<^164.514b2 

164.514(b)(1) 

A  person  with  appropriate  knowledge  of  and  experience  with  generally  accepted  sta¬ 
tistical  and  scientific  principles  and  methods  for  rendering  information  not  individually 
identifiable: 

(i)  Applying  such  principles  and  methods,  determines  that  the  risk  is  very  small  that 
the  information  could  be  used,  alone  or  in  combination  with  other  reasonably  avail¬ 
able  information,  by  an  anticipated  recipient  to  identify  an  individual  who  is  a 
subject  of  the  information;  and 

(ii)  Documents  the  methods  and  results  of  the  analysis  that  justify  such  determination; 
or 

We  have  the  macro: 

<^i64.5i4bi  —  3 p.  has-experience-witli-deidentihed-info(jj)  A 

determines- and-documents-reidentification-risk-is-small(p,  t) 

164.514(b)(2) 

(i)  The  following  identifiers  of  the  individual  or  of  relatives,  employers,  or  household 
members  of  the  individual,  are  removed: 

(A)  Names; 

(B)  All  geographic  subdivisions  smaller  than  a  State,  including  street  address,  city, 
county,  precinct,  zip  code,  and  their  equivalent  geocodes,  except  for  the  initial 
three  digits  of  a  zip  code  if,  according  to  the  current  publicly  available  data 
from  the  Bureau  of  the  Census: 

(1)  The  geographic  unit  formed  by  combining  all  zip  codes  with  the  same  three 
initial  digits  contains  more  than  20,000  people;  and 

(2)  The  initial  three  digits  of  a  zip  code  for  all  such  geographic  units  containing 
20, 000  or  fewer  people  is  changed  to  000. 

(C)  All  elements  of  dates  (except  year)  for  dates  directly  related  to  an  individual, 
including  birth  date,  admission  date,  discharge  date,  date  of  death;  and  all 
ages  over  89  and  all  elements  of  dates  (including  year)  indicative  of  such  age, 
except  that  such  ages  and  elements  may  be  aggregated  into  a  single  category  of 
age  90  or  older; 
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(D)  Telephone  numbers; 

(E)  Fax  numbers; 

(F)  Electronic  mail  addresses; 

(G)  Social  security  numbers; 

(H)  Medical  record  numbers; 

(I)  Health  plan  beneficiary  numbers; 

(J)  Account  numbers; 

(K)  Certificate/license  numbers; 

(L)  Vehicle  identifiers  and  serial  numbers,  including  license  plate  numbers; 

(M)  Device  identifiers  and  serial  numbers; 

(N)  Web  Universal  Resource  Locators  (URLs); 

(O)  Internet  Protocol  (IP)  address  numbers; 

(P)  Biometric  identifiers,  including  finger  and  voice  prints; 

(Q)  Full  face  photographic  images  and  any  comparable  images;  and 

(R)  Any  other  unique  identifying  number,  characteristic,  or  code,  except  as  per¬ 
mitted  by  paragraph  (c)  of  this  section;  and 

(ii)  The  covered  entity  does  not  have  actual  knowledge  that  the  information  could  be 

used  alone  or  in  combination  with  other  information  to  identify  an  individual  who 

is  a  subject  of  the  information. 

We  have  the  macro: 

^I64.5i4b2  —  ~ '( name  £7-  t)  A 

((t  £7-  geographic- subdivision)  A 
smaller- tlian-State(t)  D 

(t  £7-  first-three-zip-code-digits)  A 

population-of-first-three-zip-code-digits-larger-than-20000(i))  A 
(W.  (t'  £7- 1)  A  (t1  £7-  date)  D 
( t '  £7-  year))  A 
-i( telephone-numbers  £7- 1)  A 
-■( fax-numbers  £7- 1)  A 
-■( email-addresses  £7- 1)  A 
-i (social-security-numbers  £7- 1)  A 
-i( medical-record-numbers  £7- 1)  A 
-■( health-plan-beneficiary-numbers  £7- 1)  A 
-i( account-numbers  £7- 1)  A 
-■( license-numbers  £7- 1)  A 
-i( vehicle-identifiers  £7- 1)  A 
-i( device-identifiers  £7- 1)  A 
- '( URLs  £7- 1)  A 
-1  (IP-addresses  £7- 1)  A 
-■( biometric-identifiers  £7- 1)  A 
-i( full-face-images  £7- 1)  A 
(Vt' .  (t'  £7-  unique-identification-number)  A 

It'  £r  t)  D 

9^164 . 514c)  A 
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ihas-knowledge-of-identification-risk(t) 


164.514(c) 

A  covered  entity  may  assign  a  code  or  other  means  of  record  identification  to  al¬ 
low  information  deidentified  under  this  section  to  he  reidentified  by  the  covered  entity, 
provided  that: 

(1)  The  code  or  other  means  of  record  identification  is  not  derived  from  or  related  to 
information  about  the  individual  and  is  not  otherwise  capable  of  being  translated 
so  as  to  identify  the  individual;  and 

(2)  The  covered  entity  does  not  use  or  disclose  the  code  or  other  means  of  record 
identification  for  any  other  purpose,  and  does  not  disclose  the  mechanism  for  re- 
identification. 

We  have  the  macro: 

<^164. 5i4c  —  (t'  Gr  reidentification- code)  A 
-icode-derived-from-phi(t')  A 
-■  <f}3p',m'.  send(pi,p',  m')  A 

contains  (rah  pi ,  t')  A 

contains(m/, pi ,  reidentification-mechanism ) 


164.514(d) 

164.514(d)(1) 

In  order  to  comply  with  §164-  502(b)  and  this  section,  a  covered  entity  must  meet  the 
requirements  of  paragraphs  (d)(2)  through  (d)(5)  of  this  section  with  respect  to  a  request 
for,  or  the  use  and  disclosure  of,  protected  health  information. 

believes-minimnm- necessary- for-purpose(pi,p2,  ( q ,  t),  u)  = 

¥?164.514d2  A 
¥?164.514d3  A 
(/J164.514d4  A 
(/J164.514d5 

164.514(d)(2) 


(i)  A  covered  entity  must  identify: 

(A)  Those  persons  or  classes  of  persons,  as  appropriate,  in  its  workforce  who  need 
access  to  protected  health  information  to  carry  out  their  duties;  and 

(B)  For  each  such  person  or  class  of  persons,  the  category  or  categories  of  protected 
health  information  to  which  access  is  needed  and  any  conditions  appropriate 
to  such  access. 
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(ii)  A  covered  entity  must  make  reasonable  efforts  to  limit  the  access  of  such  persons 
or  classes  identified  in  paragraph  (d)(2)(i)(A)  of  this  section  to  protected  health 
information  consistent  with  paragraph  (d)(2)(i)(B)  of  this  section. 

We  have  the  macro: 

<^i64.5i4d2  —  identihes- workforce-members-needing-phi (p ] )  A 
reasonably-hmits-phi- access  (p  i ) 

164.514(d)(3) 

(i)  For  any  type  of  disclosure  that  it  makes  on  a  routine  and  recurring  basis,  a  covered 
entity  must  implement  policies  and  procedures  (which  may  be  standard  protocols) 
that  limit  the  protected  health  information  disclosed  to  the  amount  reasonably  nec¬ 
essary  to  achieve  the  purpose  of  the  disclosure. 

(ii)  For  all  other  disclosures,  a  covered  entity  must: 

(A)  Develop  criteria  designed  to  limit  the  protected  health  information  disclosed 
to  the  information  reasonably  necessary  to  accomplish  the  purpose  for  which 
disclosure  is  sought;  and 

(B)  Review  requests  for  disclosure  on  an  individual  basis  in  accordance  with  such 
criteria. 

(in)  A  covered  entity  may  rely,  if  such  reliance  is  reasonable  under  the  circumstances, 
on  a  requested  disclosure  as  the  minimum  necessary  for  the  stated  purpose  when: 

(A)  Making  disclosures  to  public  officials  that  are  permitted  under  § 164-512 ,  if 
the  public  official  represents  that  the  information  requested  is  the  minimum 
necessary  for  the  stated  purpose(s); 

(B)  The  information  is  requested  by  another  covered  entity; 

(C)  The  information  is  requested  by  a  professional  who  is  a  member  of  its  workforce 
or  is  a  business  associate  of  the  covered  entity  for  the  purpose  of  providing 
professional  services  to  the  covered  entity,  if  the  professional  represents  that 
the  information  requested  is  the  minimum  necessary  for  the  stated  purpose(s); 
or 

(D)  Documentation  or  representations  that  comply  with  the  applicable  requirements 
of  §164-512(i)  have  been  provided  by  a  person  requesting  the  information  for 
research  purposes. 

We  have  the  macro: 

<^i64.5i4d3  —  implements-policies-for-routine-disclosures(pi)  A 
implements-criteria-for-limiting-phi(pi)  A 

(meets-policies-and-criteria(pi,p2>  (<?,  t),u)\J 
(activerole(]?2,  public- official)  A 

represents-minimum-necessary (p2 ,p\,  P2 ,  (q,  t),u ))  V 
activerole(/>2,  covered- entity)  V 
((activerole(p2j  workforce-member  (pi))  V 
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activerole(p2j  business-associate(p\ )))  A 
( u  providing-professional-services  (pi))  A 

represents-iirinimum-necessary (p-2 ,p\,  P2 ,  ( q ,  t),  u))  V 
(( u  research)  A 

represents-minimum-necessary-164.512i(j>2,Pi,P2>  (q,  t),u))) 

164.514(d)(4) 

(i)  A  covered  entity  must  limit  any  request  for  protected  health  information  to  that 
which  is  reasonably  necessary  to  accomplish  the  purpose  for  which  the  request  is 
made,  when  requesting  such  information  from  other  covered  entities. 

(ii)  For  a  request  that  is  made  on  a  routine  and  recurring  basis,  a  covered  entity  must 
implement  policies  and  procedures  (which  may  be  standard  protocols)  that  limit 
the  protected  health  information  requested  to  the  amount  reasonably  necessary  to 
accomplish  the  purpose  for  which  the  request  is  made. 

(Hi)  For  all  other  requests,  a  covered  entity  must: 

(A)  Develop  criteria  designed  to  limit  the  request  for  protected  health  information 
to  the  information  reasonably  necessary  to  accomplish  the  purpose  for  which 
the  request  is  made;  and 

(B)  Review  requests  for  disclosure  on  an  individual  basis  in  accordance  with  such 
criteria. 

We  do  not  handle  this  paragraph. 

164.514(d)(5) 

For  all  uses,  disclosures,  or  requests  to  which  the  requirements  in  paragraph  (d)  of 
this  section  apply,  a  covered  entity  may  not  use,  disclose  or  request  an  entire  medical 
record,  except  when  the  entire  medical  record  is  specifically  justified  as  the  amount  that 
is  reasonably  necessary  to  accomplish  the  purpose  of  the  use,  disclosure,  or  request. 

We  have  the  macro: 

<^i64.5i4d5  —  ( full-medical-record  £7- 1)  D 

full-record-specifically-justified(pi,p2,  (<?,  t),  u) 

164.514(e) 

164.514(e)(1) 

A  covered  entity  may  use  or  disclose  a  limited  data  set  that  meets  the  requirements 
of  paragraphs  (e)(2)  and  (e)(3)  of  this  section,  if  the  covered  entity  enters  into  a  data 
use  agreement  with  the  limited  data  set  recipient,  in  accordance  with  paragraph  (e)(4) 
of  this  section. 

We  have  the  following  positive  norm: 
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W~64.5i4ei  —  activerole(pi,  covered- entity)  A 

<^164.514e2  A 
<^164.514e3  A 

has- limited-data- use-agreement (pi,p2,  (<?,  t),  u) 

164.514(e)(2) 

d  limited  data  set  is  protected  health  information  that  excludes  the  following  direct 
identifiers  of  the  individual  or  of  relatives,  employers,  or  household  members  of  the 
individual: 

(i)  Names; 

(ii)  Postal  address  information,  other  than  town  or  city,  State,  and  zip  code; 

(in)  Telephone  numbers; 

(iv)  Fax  numbers; 

(v)  Electronic  mail  addresses; 

(vi)  Social  security  numbers; 

(vii)  Medical  record  numbers; 

(viii)  Health  plan  beneficiary  numbers; 

(ix)  Account  numbers; 

(x)  Certificate/license  numbers; 

(xi)  Vehicle  identifiers  and  serial  numbers,  including  license  plate  numbers; 

(xii)  Device  identifiers  and  serial  numbers; 

(xiii)  Web  Universal  Resource  Locators  (URLs); 

(xiv)  Internet  Protocol  (IP)  address  numbers; 

(xv)  Biometric  identifiers,  including  finger  and  voice  prints;  and 

(xvi)  Full  face  photographic  images  and  any  comparable  images. 

We  have  the  macro: 


<^164.514e2  —  (t  £7"  phi )  A 

-‘(name  £7- 1)  A 

(Vi7.  (t'  £7-  postal- address)  A 

(f  er  t)  D 

(' t 1  £7-  city)  V 
(■ t ’  £7-  State)  V 
(' t '  £7-  zip- code))  A 
-‘(telephone-numbers  £7- 1)  A 
-‘(fax-numbers  £7- 1)  A 
-‘(email-addresses  £7- 1)  A 
-■( social-security-numbers  £7- 1)  A 
-■( medical-record-numbers  £7- 1)  A 
-‘(health-plan-beneficiary-numbers  £7- 1)  A 
-i( account-numbers  £7- 1)  A 
-i( license-numbers  £7- 1)  A 
-‘(vehicle-identifiers  £7- 1)  A 
-‘(device-identifiers  £7- 1)  A 
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— >(  URLs  £7- 1 )  A 

-i( IP-addresses  £7- 1 )  A 

-i( biometric-identifiers  £7- t)  A 

-1  (full-face-images  £7- 1) 

164.514(e)(3) 

(i)  A  covered  entity  may  use  or  disclose  a  limited  data  set  under  paragraph  (e)(1)  of 
this  section  only  for  the  purposes  of  research,  public  health,  or  health  care  opera¬ 
tions. 

(ii)  A  covered  entity  may  use  protected  health  information  to  create  a  limited  data  set 
that  meets  the  requirements  of  paragraph  (e)(2)  of  this  section,  or  disclose  protected 
health  information  only  to  a  business  associate  for  such  purpose,  whether  or  not 
the  limited  data  set  is  to  be  used  by  the  covered  entity. 

We  have  the  macro: 

9^164. 5i4e3  =  (u  research)  V 

(u  &u  public-health )  V 
(u  healthcare- operations) 

Note  that  we  cannot  handle  paragraph  (ii)  since  our  model  does  not  support  an  action  for  creating 
a  limited  data  set.  In  other  words,  there  is  nothing  in  our  model  that  paragraph  (ii)  can  constrain. 

164.514(e)(4) 

164.514(e)(4)(i) 

A  covered  entity  may  use  or  disclose  a  limited  data  set  under  paragraph  (e)(1)  of 
this  section  only  if  the  covered  entity  obtains  satisfactory  assurance,  in  the  form  of  a 
data  use  agreement  that  meets  the  requirements  of  this  section,  that  the  limited  data  set 
recipient  will  only  use  or  disclose  the  protected  health  information  for  limited  purposes. 

Because  this  paragraph  simply  restates  the  final  part  of  paragraph  (e)(1),  there  is  nothing  new 
to  handle  here. 

164.514(e)  (4)  (ii) 

A  data  use  agreement  between  the  covered  entity  and  the  limited  data  set  recipient 
must: 

(A)  Establish  the  permitted  uses  and  disclosures  of  such  information  by  the  limited 
data  set  recipient,  consistent  with  paragraph  (e)(3)  of  this  section.  The  data  use 
agreement  may  not  authorize  the  limited  data  set  recipient  to  use  or  further  disclose 
the  information  in  a  manner  that  would  violate  the  requirements  of  this  subpart,  if 
done  by  the  covered  entity; 

(B)  Establish  who  is  permitted  to  use  or  receive  the  limited  data  set;  and 
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(C)  Provide  that  the  limited  data  set  recipient  will: 

(1)  Not  use  or  further  disclose  the  information  other  than  as  permitted  by  the  data 
use  agreement  or  as  otherwise  required  by  law; 

(2)  Use  appropriate  safeguards  to  prevent  use  or  disclosure  of  the  information 
other  than  as  provided  for  by  the  data  use  agreement; 

(3)  Report  to  the  covered  entity  any  use  or  disclosure  of  the  information  not  pro¬ 
vided  for  by  its  data  use  agreement  of  which  it  becomes  aware; 

(4)  Ensure  that  any  agents,  including  a  subcontractor,  to  whom  it  provides  the 
limited  data  set  agrees  to  the  same  restrictions  and  conditions  that  apply  to 
the  limited  data  set  recipient  with  respect  to  such  information;  and 

(5)  Not  identify  the  information  or  contact  the  individuals. 

We  use  the  following  macro  to  specify  the  conditions  under  which  a  limited  data  use  agreement 
exists: 

has-limited-data-use-agreement(pi,  P2)  — 

<$>(377?/.  send (p2, pi,  m')  A 

is-limited-data-use-agreement(m/)  A 
contains-permitted-uses-disclosures (p  1 ,  p2 ,  m')  A 

contains-permitted-recipients(pi,p2,  fn')  A 
contains-agreement-to-no-further-disclosures(pi ,  j>2,  m')  A 
contains-agreement-to-safeguards(pi,p2,  m7)  A 

contains-agreement-to-report-further-disclosures(pi  ,p2,  rn')  A 
contains-agreement-to-subcontractor-agreements(pi ,  P2,  mf)  A 
contains-agreement-to-no-contact-or-identification(pi  ,p2,m!)) 

Note  the  use  of  special  purpose  contains-...  predicates.  This  is  because  the  ordinary  contains 
predicate  requires  that  the  information  attribute  be  given  with  respect  to  a  subject  principal.  This 
is  not  the  case  here,  so  we  cannot  use  ordinary  contains. 

164.514(e)  (4)  (iii) 

(A)  A  covered  entity  is  not  in  compliance  with  the  standards  in  paragraph  (e)  of  this 
section  if  the  covered  entity  knew  of  a  pattern  of  activity  or  practice  of  the  limited 
data  set  recipient  that  constituted  a  material  breach  or  violation  of  the  data  use 
agreement,  unless  the  covered  entity  took  reasonable  steps  to  cure  the  breach  or  end 
the  violation,  as  applicable,  and,  if  such  steps  were  unsuccessful: 

(1)  Discontinued  disclosure  of  protected  health  information  to  the  recipient;  and 

(2)  Reported  the  problem  to  the  Secretary. 

(B)  A  covered  entity  that  is  a  limited  data  set  recipient  and  violates  a  data  use  agree¬ 
ment  will  be  in  noncompliance  with  the  standards,  implementation  specifications, 
and  requirements  of  paragraph  (e)  of  this  section. 

There  does  not  appear  to  be  anything  to  add  here;  this  paragraph  seems  to  describe  “meta-level” 
operations  that  must  occur  when  an  entity  is  in  noncompliance. 
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164.514(f) 

164.514(f)(1) 

A  covered  entity  may  use,  or  disclose  to  a  business  associate  or  to  an  institutionally 
related  foundation,  the  following  protected  health  information  for  the  purpose  of  raising 
funds  for  its  own  benefit,  without  an  authorization  meeting  the  requirements  of  §164-508: 

(i)  Demographic  information  relating  to  an  individual;  and 

(ii)  Dates  of  health  care  provided  to  an  individual. 

'A i64.5i4fi  —  activerole(pi,  covered- entity)  A 

(activerole(/>2,  business-associate(p\ ))  V 
activerole(/>2,  related-foundation(pi )))  A 
((t  £7-  demographic-info)  V 
(t  £7-  healthcare- dates))  A 
(it  £72  fundraising) 

164.514(f)(2) 

(i)  The  covered  entity  may  not  use  or  disclose  protected  health  information  for  fundrais¬ 
ing  purposes  as  otherwise  permitted  by  paragraph  (f)(1)  of  this  section  unless  a 
statement  required  by  §164-520(b)(l)(iii)(B)  is  included  in  the  covered  entity’s  no¬ 
tice; 

(ii)  The  covered  entity  must  include  in  any  fundraising  materials  it  sends  to  an  in¬ 
dividual  under  this  paragraph  a  description  of  how  the  individual  may  opt  out  of 
receiving  any  further  fundraising  communications. 

(in)  The  covered  entity  must  make  reasonable  efforts  to  ensure  that  individuals  who 
decide  to  opt  out  of  receiving  future  fundraising  communications  are  not  sent  such 
communications. 

We  have  the  macro: 

<^i64.5i4f2  =  <6>(3m'.  send(pi,p2,ro/)  A 

is-notice(m/,  jii ,  ji2;  (q,t),  u)  A 

contains-statement-of-possible-fundraising(TO/, p\ , pf)  A 
contains-opt-out-instructions(m/,  p\  ,pf)) 

We  choose  not  to  formalize  paragraph  (iii)  because  it  is  unclear  how  to  capture  such  “reasonable 
efforts”.  In  PrivacyLFP,  we  can  only  require  (or  not)  that  something  is  sent  or  not  sent. 

164.514(g) 

If  a  health  plan  receives  protected  heath  information  for  the  purpose  of  underwriting, 
premium  rating,  or  other  activities  relating  to  the  creation,  renewal,  or  replacement  of 
a  contract  of  health  insurance  or  health  benefits,  and  if  such  health  insurance  or  health 
benefits  are  not  placed  with  the  health  plan,  such  health  plan  may  not  use  or  disclose 
such  protected  health  information  for  any  other  purpose,  except  as  may  be  required  by 
law. 
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^i64.5i4g  —  (3p7.  activerole(pi,  health-plan)  A 
<$>(3?7i/,  it7.  send(p7,pi,  m7)  A 

contains (m7,  (g,  t),  it7)  A 
(( u 7  health-insurance- contract- creation)  V 

(V  Gw  health-insurance- contract-renewal)  V 
(u7  Gw  health-insurance-contract-replacement)))  A 
-i health-insurance-placed- with(p7 ,  pi ) )  D 
(it  Gw  health-insurance- contract- creation)  V 
(it  Gw  health-insurance-contract-renewal)  V 
(u  Gw  health-insurance-contract-replacement)  V 
required- by-law (pi,P2,  (g,  t),u) 

164.514(h) 

164.514(h)(1) 

Prior  to  any  disclosure  permitted  by  this  subpart,  a  covered  entity  must: 

(i)  Except  with  respect  to  disclosures  under  § 164-510 ,  verify  the  identity  of  a  person 
requesting  protected  health  information  and  the  authority  of  any  such  person  to 
have  access  to  protected  health  information  under  this  subpart,  if  the  identity  or 
any  such  authority  of  such  person  is  not  known  to  the  covered  entity;  and 
(ii)  Obtain  any  documentation,  statements,  or  representations,  whether  oral  or  writ¬ 
ten,  from  the  person  requesting  the  protected  health  information  when  such  docu¬ 
mentation,  statement,  or  representation  is  a  condition  of  the  disclosure  under  this 
subpart. 

Given  the  level  of  detail  of  our  model,  we  do  not  handle  explicit  authentication  actions.  Instead, 
our  model  relies  on  roles  having  been  previously  assigned  to  the  principals.  This  is  analogous  to 
the  way  that  authorization  logics  assume  that  authentication  has  already  occurred. 

164.514(h)(2) 

164.514(h)(2)(i) 

If  a  disclosure  is  conditioned  by  this  subpart  on  particidar  documentation,  state¬ 
ments,  or  representations  from  the  person  requesting  the  protected  health  information, 
a  covered  entity  may  rely,  if  such  reliance  is  reasonable  under  the  circumstances,  on 
documentation,  statements,  or  representations  that,  on  their  face,  meet  the  applicable 
requirements. 

(A)  The  conditions  in  §164-512(f)(l)(ii)(C)  may  be  satisfied  by  the  administrative  sub¬ 
poena  or  similar  process  or  by  a  separate  written  statement  that,  on  its  face,  demon¬ 
strates  that  the  applicable  requirements  have  been  met. 

(B)  The  documentation  required  by  §164-512(i)(2)  may  be  satisfied  by  one  or  more  writ¬ 
ten  statements,  provided  that  each  is  appropriately  dated  and  signed  in  accordance 
with  §164-512(i)(2)(i)  and  (v). 

Again,  because  our  model  provides  roles  for  the  principals,  this  paragraph  seems  unnecessary. 
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164.514(h)(2)  (ii) 

A  covered  entity  may  rely,  if  such  reliance  is  reasonable  under  the  circumstances,  on 
any  of  the  following  to  verify  identity  when  the  disclosure  of  protected  health  information 
is  to  a  public  official  or  a  person  acting  on  behalf  of  the  public  official: 

(A)  If  the  request  is  made  in  person,  presentation  of  an  agency  identification  badge, 
other  official  credentials,  or  other  proof  of  government  status; 

(B)  If  the  request  is  in  writing,  the  request  is  on  the  appropriate  government  letterhead; 
or 

(C)  If  the  disclosure  is  to  a  person  acting  on  behalf  of  a  public  official,  a  written  state¬ 
ment  on  appropriate  government  letterhead  that  the  person  is  acting  under  the 
government ’s  authority  or  other  evidence  or  documentation  of  agency,  such  as  a 
contract  for  services,  memorandum  of  understanding,  or  purchase  order,  that  es¬ 
tablishes  that  the  person  is  acting  on  behalf  of  the  public  official. 

The  same  analysis  applies  here  as  for  paragraphs  (h)(1)  and  (h)(2)(i). 

164.514(h)  (2)  (iii) 

A  covered  entity  may  rely,  if  such  reliance  is  reasonable  under  the  circumstances,  on 
any  of  the  following  to  verify  authority  when  the  disclosure  of  protected  health  informa¬ 
tion  is  to  a  public  official  or  a  person  acting  on  behalf  of  the  public  official: 

(A)  A  written  statement  of  the  legal  authority  under  which  the  information  is  requested, 
or,  if  a  written  statement  would  be  impracticable,  an  oral  statement  of  such  legal 
authority; 

(B)  If  a  request  is  made  pursuant  to  legal  process,  warrant,  subpoena,  order,  or  other 
legal  process  issued  by  a  grand  jury  or  a  judicial  or  administrative  tribunal  is  pre¬ 
sumed  to  constitute  legal  authority. 

See  paragraph  (h)(2)(h). 

164.514(h)(2)  (iv) 

The  verification  requirements  of  this  paragraph  are  met  if  the  covered  entity  relies 
on  the  exercise  of  professional  judgment  in  making  a  use  or  disclosure  in  accordance 
with  § 164-510  or  acts  on  a  good  faith  belief  in  making  a  disclosure  in  accordance  with 
§164-512(j). 

See  paragraph  (h)(2)(h). 

4.8  §164.524  Access  of  individuals  to  protected  health  informa¬ 

tion. 

164.524(a) 

164.524(a)(1) 

Except  as  otherwise  provided  in  paragraph  (a)(2)  or  (a)(3)  of  this  section,  an  indi¬ 
vidual  has  a  right  of  access  to  inspect  and  obtain  a  copy  of  protected  health  information 
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about  the  individual  in  a  designated  record  set,  for  as  long  as  the  protected  health  infor¬ 
mation  is  maintained  in  the  designated  record  set,  except  for: 

(i)  Psychotherapy  notes; 

(ii)  Information  compiled  in  reasonable  anticipation  of,  or  for  use  in,  a  civil,  criminal, 
or  administrative  action  or  proceeding;  and 
(in)  Protected  health  information  maintained  by  a  covered  entity  that  is: 

(A)  Subject  to  the  Clinical  Laboratory  Improvements  Amendments  of  1988,  f2 
U.  S.  C.  263a,  to  the  extent  the  provision  of  access  to  the  individual  would  be 
prohibited  by  law;  or 

(B)  Exempt  from  the  Clinical  Laboratory  Improvements  Amendments  of  1988,  pur¬ 
suant  to  f2  CFR  493.3(a)(2). 

In  our  opinion,  this  paragraph  describes  the  intent  of  §164.524.  As  a  result,  it  introduces  no 
norms  directly.  The  relevant  norms  will  be  obtained  from  the  following  paragraphs. 

164.524(a)(2) 

A  covered  entity  may  deny  an  individual  access  without  providing  the  individual  an 
opportunity  for  review,  in  the  following  circumstances. 

Paragraph  (a)(2)  describes  the  valid  reasons  that  a  covered  entity  may  have  for  denying  an  access 
request  without  an  opportunity  for  review.  These  reasons  will  be  used  in  paragraph  (b)(2)(i)(B), 
and  so  this  macro  is  used  there.  Note  that  this  paragraph  is  not  yet  describing  a  requirement;  that 
will  appear  in  (b)(2)(i)(B). 

may-deny-without-review-164.524a2(p2i  (piA'))  = 

may-deny-without-review-164.524a2i(p2,  (p\ ,  t’))  V 
iriay-deny-without-review-  164.524a2ii(/>2 ,  (pi,t'))  V 
may-deny-without-review-  164.524a2iii(p2 ,  (pi,t'))  V 
may-deny-without-review-164.524a2iv(p2,  (pi,t'))  V 
may-deny-without-review-164.524a2v(p2j  (pi,  t')) 

164.524(a)(2)(i) 

The  protected  health  information  is  excepted  from  the  right  of  access  by  paragraph 
(a)(1)  of  this  section. 

may- deny- without-review- 164. 5 24a2i (p2 ,  (.Pi  ■  tr))  = 

(t'  £7-  psychotherapy-notes)  V 

compiled-for-action-or-proceeding(p25  (PiA'))  V 
prohibited-by-42USC263a(p2,  (PiA'))  V 
exempt-pursuant-to-42CFR493.3a2(p2;  (pi,t')) 
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164.524(a)(2)(ii) 


A  covered  entity  that  is  a  correctional  institution  or  a  covered  health  care  provider 
acting  under  the  direction  of  the  correctional  institution  may  deny,  in  whole  or  in  part, 
an  inmate’s  request  to  obtain  a  copy  of  protected  health  information,  if  obtaining  such 
copy  would  jeopardize  the  health,  safety,  security,  custody,  or  rehabilitation  of  the  indi¬ 
vidual  or  of  other  inmates,  or  the  safety  of  any  officer,  employee,  or  other  person  at  the 
correctional  institution  or  responsible  for  the  transporting  of  the  inmate. 

We  have  the  macro: 

may-deny-without-review-164.524a2ii(p2)  (p\ ,  t'))  — 

3pl2 .  activerole(p'2>  correctional-institution)  A 

«y2 = pi)  v 

(activerole(|?2,  provider)  A 
under-direction-of  (p2 ,  p'2) ) )  A 
activerole(pi,  inmate (p^))  A 

jeopardizes-health-safety-security-custody-rehabilitation(p2,p2,  (pi,t')) 

164.524(a)  (2)  (iii) 

An  individual’s  access  to  protected  health  information  created  or  obtained  by  a  cov¬ 
ered  health  care  provider  in  the  course  of  research  that  includes  treatment  may  be  tem¬ 
porarily  suspended  for  as  long  as  the  research  is  in  progress,  provided  that  the  individual 
has  agreed  to  the  denial  of  access  when  consenting  to  participate  in  the  research  that 
includes  treatment,  and  the  covered  health  care  provider  has  informed  the  individual  that 
the  right  of  access  will  be  reinstated  upon  completion  of  the  research. 

We  have  the  macro: 

may-deny-without-review-164.524a2iii(p2,  (put'))  — 

created-or-obtained-for-current-research(p2,  (p\ ,  t'))  A 
activerole(p2,  provider)  A 
agreed-to-denial-of-access((pi,  t/),p2)  A 
informed-of- future-reinstatement (j>2,  (pi,  t')) 

Although  not  stated  explicitly  in  the  law,  it  seems  reasonable  to  have: 

agreed-to-denial-of-access((pi,  tl),p2)  = 

3m'.  <9>send(pi,p2,  m')  A 

is-agreement-to-denial(?n/,p2)  (pi  ■<  t')) 


and: 

informed-of- future-reinstatement (p2,  (pi,t'))  = 

3m'.  <9>send(p2>Pi,  m1)  A 

is-notice-of- future-reinstatement (rn1 , p2 ,  {pi,t')) 
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164.524(a)  (2)  (iv) 

An  individual’s  access  to  protected  health  information  that  is  contained  in  records 
that  are  subject  to  the  Privacy  Act,  5  JJ.S.C.  552a,  may  be  denied,  if  the  denial  of  access 
under  the  Privacy  Act  would  meet  the  requirements  of  that  law. 

may-deny-without-review-164.524a2iv(p2>  ('P\ ,  t'))  — 
subject-to-5USC552a(]?2,  (PiA'))  A 

may- deny- under- 5 US C 5 5 2 a {p2 ,  (pi,t')) 

164.524(a)  (2)  (v) 

An  individual’s  access  may  be  denied  if  the  protected  health  information  was  obtained 
from  someone  other  than  a  health  care  provider  under  a  promise  of  confidentiality  and 
the  access  requested  would  be  reasonably  likely  to  reveal  the  source  of  the  information. 

may- deny- without-review- 164. 5 24a2 v  (p2 ,  (p\ ■  t’))  — 

3p3,m’.  <$>send(p3,p2)  m')  A 
contains(m/,  {pi,  t'))  A 
-iactiverole(p3,  provider)  A 
sent-under-promise-of-confidentiality(p3,p2,  m7)  A 
would-reveal-source(p2 ,  {pi ,  t') ,  p%) 

164.524(a)(3) 

A  covered  entity  may  deny  an  individual  access,  provided  that  the  individual  is  given 
a  right  to  have  such  denials  reviewed,  as  required  by  paragraph  (a)(4)  of  this  section,  in 
the  following  circumstances: 

This  paragraph  states  the  valid  reasons  that  a  covered  entity  may  give  for  denying  an  access 

request,  given  that  an  opportunity  for  review  is  provided.  As  in  paragraph  (a)(2),  we  express  these 

conditions  as  a  series  of  macros.  However,  no  norms  are  present  in  this  paragraph.  Instead,  these 

macros  are  used  in  paragraph  (b)(2)(i)(B). 

may-deny-with-review-164.524a3(p2,  {pi,t'))  = 

may- deny- wit h-review- 164. 5 24a3i (p2 ,  V 

may-deny-with-review-164.524a3ii(p2,  (pi,t'))  V 
may-deny- wit  h-review- 164. 5 24a3iii  (p2 ,  {p\,t')) 

164.524(a)(3)(i) 

A  licensed  health  care  professional  has  determined,  in  the  exercise  of  professional 
judgment,  that  the  access  requested  is  reasonably  likely  to  endanger  the  life  or  physical 
safety  of  the  individual  or  another  person; 

We  have  the  macro: 

may-deny- with-review-1 64. 524a3i(p2,  (pi ,  t'))  = 

determines-access-would-endanger-physical-safety (p2 , P2 ,  (pi,tr)) 
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164.524(a)(3)(ii) 


The  protected  health  information  makes  reference  to  another  person  ( unless  such 
other  person  is  a  health  care  provider)  and  a  licensed  health  care  professional  has  deter¬ 
mined,  in  the  exercise  of  professional  judgment,  that  the  access  requested  is  reasonably 
likely  to  cause  substantial  harm  to  such  other  person;  or 

We  have  the  macro: 

may-deny-with-review-164.524a3ii(j?2,  (p\  ■  t'))  = 

3q",t",p3.  contains^',  {q" ,t"))  A 
=  Pi)  A 

-ibelongstorole(g|//,  provider  (pi))  A 
activerole(p3,  health-care-professional)  A 
determines- likely-to-cause-harm(p3, £>2,  (pi,  t'),  q") 

164.524(a)  (3)  (iii) 

The  request  for  access  is  made  by  the  individual’s  personal  representative  and  a 
licensed  health  care  professional  has  determined,  in  the  exercise  of  professional  judgment, 
that  the  provision  of  access  to  such  personal  representative  is  reasonably  likely  to  cause 
substantial  harm  to  the  individual  or  another  person. 

may-deny-with-review-164.524a3iii(p2)  (pi,t))  = 

3q,q'.  belongstorole(pi,  personal-representative(q))  A 
likely-to-harm- individual^,  (pi,t),  q') 

164.524(a)(4) 

If  access  is  denied  on  a  ground  permitted  under  paragraph  (a)(3)  of  this  section,  the 
individual  has  the  right  to  have  the  denial  reviewed  by  a  licensed  health  care  professional 
who  is  designated  by  the  covered  entity  to  act  as  a  reviewing  official  and  who  did  not 
participate  in  the  original  decision  to  deny.  The  covered  entity  must  provide  or  deny 
access  in  accordance  with  the  determination  of  the  reviewing  official  under  paragraph 
(d)(4)  of  this  section. 

We  again  interpret  this  paragraph  as  stating  the  intent  of  this  part  of  the  law.  The  particular 
implementation  specifications  are  given  in  paragraph  (d),  and  so  this  paragraph  yields  no  norms 
directly. 

164.524(b) 

164.524(b)(1) 

The  covered  entity  must  permit  an  individual  to  request  access  to  inspect  or  to  obtain 
a  copy  of  the  protected  health  information  about  the  individual  that  is  maintained  in  a 
designated  record  set.  The  covered  entity  may  require  individuals  to  make  requests  for 
access  in  writing,  provided  that  it  informs  individuals  of  such  a  requirement. 
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We  have  no  norms  here.  However,  the  fact  that  a  covered  entity  must  allow  requests  for  access 
is  captured  by  the  particulars  of  our  top-level  formula.  If  the  individual  sends  a  request  to  the 
covered  entity,  the  (rn  =  req_for  .access  (pi,  t))  D  fragment  of  our  top-level  formula. 

164.524(b)(2) 

164.524(b)  (2)  (i) 

Except  as  provided  in  paragraph  (b)(2)(H)  of  this  section,  the  covered  entity  must 
act  on  a  request  for  access  no  later  than  30  days  after  receipt  of  the  request  as  follows. 

We  have  the  negative  norm: 

<p]_ 64.524b2i  —  ix ■  accessible-on-site(p2,  (pi,t))  D 

O  (iv-  (y  <x  +  30)  a 

(respond- 164. 524b2iA(p2,  (pi,t))  V 
respond- 1 64. 524b2iB  (p2 ,  (pi,  t)))) 

Note  that  this  negative  norm  is  not  installed  with  most  of  the  other  negative  norms.  Instead  it 
only  applies  to  the  (rn  =  req_for_access(pi,  £))  D  part  of  our  top-level  formula.  This  is  the  negative 
norm  that  ensures  that  covered  entities  respond  to  all  access  requests. 

164.524(b)  (2)  (i)  (A) 

If  the  covered  entity  grants  the  request,  in  whole  or  in  part,  it  must  inform  the 
individual  of  the  acceptance  of  the  request  and  provide  the  access  requested,  in  accordance 
with  paragraph  (c)  of  this  section. 

We  define  an  accepting  response  using  the  macro: 

respond-164.524b2iA(p2,  (pi,£))  — 
request-accepted  (p2,  (pi,t))  A 
(3m'.  send(p2,pi,  m/)  A 

is-notice-of-request-accepted(m',p2,  (pi,£)))  A 
access-provided- 1 64 . 524c (p2 ,  (pi,  t)) 

Note  that  the  predicate  request-accepted  is  left  undefined;  we  rely  on  an  oracle  for  its  semantics. 
The  macro  access-provided-164.524c  is  defined  in  paragraph  (c). 

164.524(b)  (2)  (i)(B) 

If  the  covered  entity  denies  the  request,  in  whole  or  in  part,  it  must  provide  the 
individual  with  a  written  denial,  in  accordance  with  paragraph  (d)  of  this  section. 

We  define  a  denying  response  using  the  macro: 

respond-164.524b2iB(p2,  (pi,£))  — 
request-denied (p2i  (pi,  £))  A 
(may-deny-without-review-164.524a2(p2,  (pi,t))  V 
may-deny-with-review-164.524a3(p2,  (pi,£)))  A 
(3m' .  send(p2,pi,  ml)  A 

is-notice-of-request-denied(m/,p2,  (pi,t)))  A 
access-denied-164.524d(p2,  (pi,  t)) 
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Again,  we  do  not  give  a  definition  to  request-denied  since  that  depends  on  the  covered  entity’s 
decision.  The  macro  access-denied-164.524d  is  defined  in  paragraph  (d).  Note  that  we  make  use 
here  of  the  macros  from  paragraphs  (a)(2)  and  (3). 

164.524(b)  (2)  (ii) 

If  the  request  for  access  is  for  protected  health  information  that  is  not  maintained  or 
accessible  to  the  covered  entity  on-site,  the  covered  entity  must  take  an  action  required 
by  paragraph  (b)(2)(i)  of  this  section  by  no  later  than  60  days  from  the  receipt  of  such 
a  request. 

^i64.524b2ii  —  -■accessible-on-site^ ,  (p\ ,  t))  D 
O  tty-  {V<x  +  60)  A 

(respond-164.524b2iA(p2,  (pi,i))  V 
respond-164.524b2iB(p2,  (pi,i)))) 


164.524(b)  (2)  (iii) 

If  the  covered  entity  is  unable  to  take  an  action  required  by  paragraph  (b)(2)(i)(A)  or 
(B)  of  this  section  within  the  time  required  by  paragraph  (b)(2)(i)  or  (ii)  of  this  section, 
as  applicable,  the  covered  entity  may  extend  the  time  for  such  actions  by  no  more  than 
30  days,  provided  that: 

(A)  The  covered  entity,  within  the  time  limit  set  by  paragraph  (b)(2)(i)  or  (ii)  of  this 
section,  as  applicable,  provides  the  individual  with  a  written  statement  of  the  rea¬ 
sons  for  the  delay  and  the  date  by  which  the  covered  entity  will  complete  its  action 
on  the  request;  and 

(B)  The  covered  entity  may  have  only  one  such  extension  of  time  for  action  on  a  request 
for  access. 

We  have  the  macro: 

respond-164.524b2iii(p2,  (pi,t),d)  = 

3 ml .  send(p2,Pi,  m!)  A 

is-notice-of-extension(m/,p2,  (pi,i))  A 
^(4-2.  (z  <  d  +  30)  A 

(respond- 164. 524b2iA(/>2 ,  (pi,t))  V 
respond- 164. 524b2iB(p2 ,  (pi,t)))) 

We  must  go  back  and  update  the  norms  (Pi64.524b2i  and  <^i64.524b2ii  reflect  this  new  possibility. 

For  example,  <£h64.524b2i  would  become: 

<^i64.524b2i'  “  ix-  accessible-on-site(p2,  D 
0(4-2/-  (y  <  a: +  30)  A 

(respond- 1 64.524b2iA(p2 ,  (pi,t))  V 
respond- 1 64. 524b2iB (p2 ,  (pi,t))  V 
respond- 1 64.524b2iii(/>2 ,  (pi,t),y))) 


115 


164.524(c) 

If  the  covered  entity  provides  an  individual  with  access,  in  whole  or  in  part,  to 
protected  health  information,  the  covered  entity  must  comply  with  the  following  require¬ 
ments. 

We  have  the  following  macro  which  characterizes  what  must  occur  when  access  is  provided: 

access-provided-164.524c(p2i  (pi,i))  — 

3m'.  send(p2,pi,rn')  A 

( (access- provided- 164. 524cl(p2,  {pi,t),m')  A 
access-provided- 1 64 . 524c:2i (j>2 ,  (pi,t),m'))  V 
access-provided- 164. 5 24c2ii(p2,  (pi,  t),  m'))  A 
access-provided- 1 64. 524c3(p2,  (pi,t),m')  A 
access-provided-164.524c4(p2,  (pi,t),m') 

164.524(c)(1) 

The  covered  entity  must  provide  the  access  requested  by  individuals,  including  in¬ 
spection  or  obtaining  a  copy,  or  both,  of  the  protected  health  information  about  them  in 
designated  record  sets.  If  the  same  protected  health  information  that  is  the  subject  of  a 
request  for  access  is  maintained  in  more  than  one  designated  record  set  or  at  more  than 
one  location,  the  covered  entity  need  only  produce  the  protected  health  information  once 
in  response  to  a  request  for  access. 

access-provided-164.524cl(p2,  {'Pi,  t),  in')  = 
contains(m/,  (pi,t)) 

164.524(c)(2) 

164.524(c)  (2)  (i) 

The  covered  entity  must  provide  the  individual  with  access  to  the  protected  health 
information  in  the  form  or  format  requested  by  the  individual,  if  it  is  readily  producible 
in  such  form  or  format;  or,  if  not,  in  a  readable  hard  copy  form  or  such  other  form  or 
format  as  agreed  to  by  the  covered  entity  and  the  individual. 

We  have  the  macro: 

access-provided-164.524-c2i(p2,  (pi,t),  f,  m')  = 

(producible-in-format (p2j  (pi,t),  f)  A 
in- format  (]?2,  Pi,  m',  /))  V 
( -iproducible-in- format (p2,  (pi,  t),  f)  A 

3f .  producible-in- format  (p2 ,  (pi,t),  f)  A 
has- agreed-to- format  (p2,  Pi,  (pi ,  t),  f)  A 
has- agreed-to- format  (pi,P2,  (pi ,  t),  f)  A 

in-format (p2, Pi,  m! ,  f  )) 

where  has-agreed-to-format(ji.  jV,  (pi,t),  f)  is  dehned  in  an  unspecified  way.  However,  it  is  natural 

to  have 
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has-agreed-to-format  (p,  p' ,  (pi,t),  f)  = 

3m”.  <$>send(p,p',  m")  A 

is-agreement-to-format(m//,p, p',  (pi,  t),  /') 

164.524(c)  (2)  (ii) 

The  covered  entity  may  provide  the  individual  with  a  summary  of  the  protected  health 
information  requested,  in  lieu  of  providing  access  to  the  protected  health  information  or 
may  provide  an  explanation  of  the  protected  health  information  to  which  access  has  been 
provided,  if: 

(A)  The  individual  agrees  in  advance  to  such  a  summary  or  explanation;  and 

(B)  The  individual  agrees  in  advance  to  the  fees  imposed,  if  any,  by  the  covered  entity 
for  such  summary  or  explanation. 

We  have  the  macro: 

access-provided-164.524-c2ii(p2i  (pi,t),m')  = 

3x.  is-summary-of(m/,  (pi,f))  A 

has-agreed-to-summary(pi,p2,  (pi,t))  A 
fees-for-summary(p2,  (pi,  i),  $x)  A 

(($x  >  $0)  D  has-agreed-to-sunnnary-fees(pi,p2,  ( pi,t ),  $x)) 

where  the  has-agreed-to-...  predicates  are  left  undefined  by  the  law.  However,  it  is  again  natural  to 
permit  definitions  following  the  above  example  of  has-agreed-to-format. 

164.524(c)(3) 

The  covered  entity  must  provide  the  access  as  requested  by  the  individual  in  a  timely 
manner  as  required  by  paragraph  (b)(2)  of  this  section,  including  arranging  with  the 
individual  for  a  convenient  time  and  place  to  inspect  or  obtain  a  copy  of  the  protected 
health  information,  or  mailing  the  copy  of  the  protected  health  information  at  the  indi¬ 
vidual  ’s  request.  The  covered  entity  may  discuss  the  scope,  format,  and  other  aspects  of 
the  request  for  access  with  the  individual  as  necessary  to  facilitate  the  timely  provision 
of  access. 

This  is  handled  by  paragraph  (b)(2). 

164.524(c)(4) 

If  the  individual  requests  a  copy  of  the  protected  health  information  or  agrees  to  a 
summary  or  explanation  of  such  information,  the  covered  entity  may  impose  a  reason¬ 
able,  cost-based  fee,  provided  that  the  fee  includes  only  the  cost  of: 

(i)  Copying,  including  the  cost  of  supplies  for  and  labor  of  copying,  the  protected  health 
information  requested  by  the  individual; 

(ii)  Postage,  when  the  individual  has  requested  the  copy,  or  the  summary  or  explana¬ 
tion,  be  mailed;  and 

( in )  Preparing  an  explanation  or  summary  of  the  protected  health  information,  if  agreed 
to  by  the  individual  as  required  by  paragraph  (c)(2)(H)  of  this  section. 

We  do  not  handle  this  paragraph  since  it  is  unclear  what  counts  as  a  reasonable  fee. 
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164.524(d) 

If  the  covered  entity  denies  access,  in  whole  or  in  part,  to  protected  health  informa¬ 
tion,  the  covered  entity  must  comply  with  the  following  requirements. 

To  comply  with  the  requirements  of  (d)  for  access  denial,  a  covered  entity  must  comply  with 
all  of  the  subparagraphs:  (d)(l)-(4). 

access-denied- 1 64. 524d (p2 ,  (' pi,t),m ')  = 

access-denied- 164. 524dl (/J2 ,  ( pi,t),m' )  A 
access-denied- 164. 524d2(/22;  (pi,t),m!)  A 
access-denied- 164. 524d3(/j2;  (pi,t),m')  A 
access-denied- 164.524d4(/22;  (jp\,t),m!) 


164.524(d)(1) 

The  covered  entity  must,  to  the  extent  possible,  give  the  individual  access  to  any  other 
protected  health  information  requested,  after  excluding  the  protected  health  information 
as  to  which  the  covered  entity  has  a  ground  to  deny  access. 

Because  we  have  structured  access  requests  to  be  over  individual  attributes,  we  have  no  notion 
of  partial  access  denial.  Therefore,  there  is  nothing  to  do  here: 

access-denied-164.524dl(p2,  (pi,i),m/)  =  T 

164.524(d)(2) 

The  covered  entity  must  provide  a  timely,  written  denial  to  the  individual,  in  accor¬ 
dance  with  paragraph  (b)(2)  of  this  section.  The  denial  must  be  in  plain  language  and 
contain: 

(i)  The  basis  for  the  denial; 

(ii)  If  applicable,  a  statement  of  the  individual ’s  review  rights  under  paragraph  (a)(4) 
of  this  section,  including  a  description  of  how  the  individual  may  exercise  such 
review  rights;  and 

(in)  A  description  of  how  the  individual  may  complain  to  the  covered  entity  pursuant  to 
the  complaint  procedures  in  §164-530(d)  or  to  the  Secretary  pursuant  to  the  proce¬ 
dures  in  § 160.306 .  The  description  must  include  the  name,  or  title,  and  telephone 
number  of  the  contact  person  or  office  designated  in  §164-530(a)(l)(ii). 

access-denied- 1 64. 524d2 (j>2 ,  (pi,t'),m')  = 
contains-basis-for-denial(?n/,p2i  (pi,i))  A 
(review-permitted(]?2,  (p\ ,  0)  4) 

contains-statement-of-review-rights(m/))  A 
contains-description-how-to-complain(m/,  pf)  A 
contains-contact-info- 164. 530al  ii  (m' ,  p2 ) 


118 


164.524(d)(3) 

If  the  covered  entity  does  not  maintain  the  protected  health  information  that  is  the 
subject  of  the  individual’s  request  for  access,  and  the  covered  entity  knows  where  the 
requested  information  is  maintained,  the  covered  entity  must  inform  the  individual  where 
to  direct  the  request  for  access. 

access-denied-164.524d3(j>2,  ('Pi,t),m')  = 

not-maintained-by((pi,  t),p2)  A 
(3p3,m".  <§>send(p3,p2lm'')  A 

contains- location-of  (m" , pi,  t))  A 
contains-location-of  (m' ,  p\ ,  t ) 

Note  the  use  of  the  <$>  operator  to  track  knowledge  that  a  principal  has:  the  covered  entity  knows 
where  the  requested  information  is  maintained  if  it  previously  recieved  a  message  containing  the 
location  of  that  requested  information. 

164.524(d)(4) 

If  the  individual  has  requested  a  review  of  a  denial  under  paragraph  (a)(4)  of  this 
section,  the  covered  entity  must  designate  a  licensed  health  care  professional,  who  was 
not  directly  involved  in  the  denial  to  review  the  decision  to  deny  access.  The  covered 
entity  must  promptly  refer  a  request  for  review  to  such  designated  reviewing  official.  The 
designated  reviewing  official  must  determine,  within  a  reasonable  period  of  time,  whether 
or  not  to  deny  the  access  requested  based  on  the  standards  in  paragraph  (a)(3)  of  this 
section.  The  covered  entity  must  promptly  provide  written  notice  to  the  individual  of 
the  determination  of  the  designated  reviewing  official  and  take  other  action  as  required 
by  this  section  to  carry  out  the  designated  reviewing  official’s  determination. 

We  have  the  macro: 

access-denied-164.524d4(p2>  (pi,t),m')  = 

□  (|x.Vm2.  send(pi,p2, rn2)  A 

is-request-for-review(m2,P2,  (pi,t))  D 

0(4-2/ •  (u  <  x  +  °i)  A 

3p3,m3.  send(p2,p3,m3)  A 

is-referral-to-review-denial('m,3 , p2 .  (p\,f),m')  A 
0(0-  (z  <y  +  c2)  a 

3777.4.  send(p3,p2, 7774)  A 

( (is- agreement- with-denial('m4,/72,  (pi,  i),  m')  A 
0(1  w.  (w  <  z  +  c3)  A 

3777,5.  send(p2,pi,m5)  A 

is- notice-of-review-result (7775, 7774)  A 

access-provided-164.524c(p2i  (pi,  t))))  V 
(is-disagreement-with-denial(?774,p2,  (pi .  t),  m')  A 
<f}(iw.  (iv  <  z  +  c3)  A 

37775.  send (j72.pi, 7775)  A 

is- notice-of-review-result  (7775 , 777.4) ) ) ) ) ) ) 
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There  are  quite  a  few  steps  in  this  rule,  but  this  seems  to  be  unavoidable  due  to  the  length  and 
detail  of  this  paragraph.  This  paragraph  makes  crucial  use  of  the  freeze  quantifier,  J,_.,  which  was 
not  present  in  prior  work. 

164.524(e) 

A  covered  entity  must  document  the  following  and  retain  the  documentation  as  re¬ 
quired  by  §164-530(j): 

(1)  The  designated  record  sets  that  are  subject  to  access  by  individuals;  and 

(2)  The  titles  of  the  persons  or  offices  responsible  for  receiving  and  processing  requests 
for  access  by  individuals. 

Because  our  model  does  not  account  for  retaining  documentation  and/or  records,  we  cannot 
handle  this  paragraph.  Anyway,  this  seems  to  be  primarily  an  administrative  requirement,  not 
directly  related  to  disclosures. 
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Chapter  5 


Related  Work  and  Conclusion 


At  this  point,  we  have  given  logical  formalizations  of  the  Gramm-Leach-Bliley  Act  (GLBA),  §§6802 
and  6803,  and  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA),  §§164.502, 
164.506,  164.508,  164.510,  164.512,  164.514,  and  164.524  in  our  PrivacyLFP  logic.  Before  con¬ 
cluding,  we  overview  other  related  work  in  the  area  of  formalizing  privacy  regulations. 

5.1  Related  Work 

We  divide  the  closely  related  work  into  three  distinct  categories:  formalization  efforts  for  HIPAA 
and  GLBA,  other  privacy  logics,  and  privacy  languages. 

Other  Formalization  Efforts  for  HIPAA  and  GLBA.  There  are  five  related  efforts  for 
formalizing  HIPAA  and  GLBA. 

First,  because  PrivacyLFP  is  based  on  Barth  et  al.’ s  Logic  of  Privacy  and  Utility  (LPU)  [BDMN06, 
BDMS07,  Bar08] ,  our  formalization  of  HIPAA  is  most  closely  related  to  their  proof-of-concept  ex¬ 
amples  of  five  HIPAA  clauses.  Our  formalization  covers  a  much  larger  part  of  HIPAA,  and  is  more 
expressive,  most  notably  due  to  our  addition  of  disclosure  purposes  and  real-time  features. 

Second,  Lam  et  al.  describe  a  formalization  of  HIPAA  §§164.502,  164.506,  and  164.510  in  a 
fragment  of  stratified  Datalog  with  one  alternation  of  negation,  which  they  name  pLogic  [LMS09]. 
To  formalize  a  given  HIPAA  clause,  they  write  a  pair  of  pLogic  rules  that  decide  if  an  action 
is  permitted  by  that  clause  and  if  an  action  is  forbidden  by  that  clause.  This  approach  has  the 
advantage  of  maintaining  a  close  correspondence  with  the  law’s  text,  which  is  useful  when  auditing. 

Although  Lam  et  al.’ s  formalization  has  significantly  larger  coverage  than  the  example  clauses 
of  Barth  et  al.,  it  is  not  as  complete  as  ours,  partly  for  reasons  of  expressiveness.  Due  to  the  lack 
of  temporal  modalities  in  Datalog,  they  cannot  express  HIPAA  clauses  containing  obligations,  such 
as  those  in  §  164.524(b)  which  obligate  a  covered  entity  to  respond  to  access  requests  within  60 
days.  (Lam  et  al.  can  handle  constraints  that  depend  on  past  actions  by  linking  a  kind  of  historical 
record  to  each  action.)  On  the  other  hand,  by  using  Datalog,  they  were  able  to  quickly  obtain  a 
prototype  implementation  without  much  technical  trouble.  Our  formalization  does  not  yet  have  an 
implementation  due  to  the  nonstandard  nature  of  our  PrivacyLFP  logic  [DGJ+10]. 

Third,  Breaux  and  Anton  have  developed  a  methodology  for  extracting  rights  and  obliga¬ 
tions  from  natural  language  privacy  laws,  and  applied  the  methodology  to  the  entire  text  of 
HIPAA  [BA08].  Their  approach  is  quite  different  from  ours  and  the  others  we  have  discussed. 
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Rather  than  producing  a  logical  formalization  intended  for  use  with  model  checking  and  other 
tools,  their  methodology  produces  a  catalog  of  constraints  on  requirements,  cross  references,  role 
hierarchies,  and  priorities  between  clauses.  This  catalog  is  intended  to  assist  engineers  in  designing 
software  that  complies  with  the  privacy  regulations.  As  an  opportunity  for  future  work,  we  be¬ 
lieve  that  it  might  prove  very  profitable  to  combine  these  two  approaches:  by  cataloging  the  law’s 
components,  Breaux  and  Anton’s  methodology  would  likely  ease  the  logician’s  task  of  translating 
a  privacy  regulation  into  a  logic  for  formal  verification. 

Fourth,  May  et  al.  [MGL06]  advocate  the  use  of  privacy  APIs  as  a  means  of  capturing  the 
privacy  components  of  HIPAA.  Privacy  APIs  are  an  extension  of  the  traditional  matrix  model  of 
access  control  with  constructs  for  logging.  Temporal  and  obligation  features  can  only  be  expressed 
as  uninterpreted  strings,  making  the  expressiveness  strictly  weaker  than  a  system  based  on  temporal 
logic.  To  evaluate  their  design  of  privacy  APIs,  they  formalized  §164.506  of  two  versions  of  HIPAA, 
and  analyzed  it  using  model  checking,  uncovering  an  ambiguity  in  the  law.  May  et  al.  did  not 
formalize  a  larger  fragment  of  HIPAA.  (May  et  al.  also  use  a  GLBA  clause  as  an  example,  but  do 
not  appear  to  have  pursued  a  large-scale  formalization  of  GLBA.) 

Finally,  to  the  best  of  our  knowledge,  the  only  other  formalization  of  GLBA  clauses  appears  in 
the  work  on  the  Logic  of  Privacy  and  Utility  (LPU)  by  Barth  et  al.  [BDMN06,  Bar08].  However, 
their  formalization  is  limited  to  just  four  clauses.  In  addition,  our  formalization  correctly  handles 
clauses  involving  constraints  on  information  sharing  (via  fixed  points)  and  annual  notices  (via 
real-time  features)  that  are  not  possible  in  LPU. 

Other  Privacy  Logics.  As  previously  noted,  most  closely  related  to  PrivacyLFP  is  the  Logic  of 
Privacy  and  Utility  (LPU)  [BDMN06,  BDMS07,  Bar08].  As  discussed  in  Section  2.2,  we  have  made 
several  extensions,  including  the  addition  of  purposes,  fixed  point  operators,  and  real-time  features. 
These  extensions  improved  the  expressive  power  so  that  new  clauses  of  GLBA  and  HIPAA  could 
be  formalized. 

Choosing  deontic  logic,  rather  than  temporal  logic,  as  a  foundation,  Dinesh  et  al.  have  developed 
a  logic  for  reasoning  about  conditions  and  exceptions  in  privacy  laws  [DJLS08].  This  is  distinct 
from  the  simple-minded  way  we  handle  exceptions  by  disjunctively  joining  them  to  the  relevant 
clauses.  The  approach  of  Dinesh  et  al.  is  advantageous  in  that  it  does  not  require  this  kind  of 
foresight:  there  is  no  need  to  modify  previously  formalized  clauses  if  exceptions  appear  in  later 
paragraphs.  Further  investigation  is  needed  to  determine  whether  their  ideas  can  be  adapted  to 
PrivacyLFP. 

Privacy  Languages.  There  are  numerous  privacy  languages  described  in  the  literature,  including 
the  Enterprise  Privacy  Authorization  Language  (EPAL)  and  the  extensible  Access  Control  Markup 
Language  (XACML),  the  Platform  for  Privacy  Preferences  (P3P),  and  role-based  access  control 
languages  (RBAC). 

EPAL  [BKBS04,  BPS03]  and  XACML  [ANP+04],  upon  which  EPAL  was  based,  are  privacy 
languages  formulated  as  access  control  frameworks.  For  example,  in  EPAL,  a  user  makes  a  “ac¬ 
cess”  request  (which  may  include  sending  data),  which  the  system  allows  or  denies  according  to 
the  privacy  policy.  Unfortunately,  EPAL  and  XACML  do  not  possess  first-class  temporal  modal¬ 
ities.  Instead,  they  have  a  much  weaker  uninterpreted  obligation  symbol  for  representing  future 
requirements.  Our  PrivacyLFP  logic  inherits  the  richer  temporal  and  obligation  constructs  from 
LPU,  and  is  therefore  more  expressive  than  EPAL  and  XACML. 
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P3P  [RC99,  BCK03,  ACR99]  is  a  privacy  language  targeted  exclusively  to  web  sites.  As  such, 
the  sender  and  recipient  are  fixed  to  be  the  web  site  and  web  site  visitor,  respectively,  making 
P3P  unsuitable  for  the  formalization  of  HIPAA,  GLBA,  and  general  privacy  laws.  Moreover,  P3P 
cannot  express  temporal  modalities. 

RBAC  languages  (e.g.,  [Cra03,  JSSS01,  LMW02])  tackle  the  access  control  problem  from  the 
standpoint  of  roles:  a  principal’s  access  rights  are  determined  by  the  roles  she  holds.  Unfortunately, 
RBAC  generally  lacks  a  notion  of  data  attribute,  and  so  cannot  express  privacy  policies  that  take 
attributes  into  account  when  making  an  allow-deny  decision.  In  addition,  RBAC,  too,  does  not 
include  temporal  modalities. 

5.2  Conclusion 

In  this  work,  we  have  designed  a  novel  privacy  logic,  PrivacyLFP,  based  on  the  Logic  of  Privacy 
and  Utility  [BDMN06,  BDMS07,  Bar08]  but  extended  with  purposes,  real-time  features,  and  fixed 
points.  Using  PrivacyLFP,  we  have  given  formalizations  of  GLBA  and  HIPAA,  which  we  believe  to 
be  the  most  complete  formalizations  of  these  laws  in  a  logic  to  date.  Studies  of  HIPAA’s  effect  on 
privacy  practices  have  suggested  that  HIPAA  has  paradoxically  weakened  privacy  [AEV+07].  We 
sincerely  hope  that  our  formalizations  may  prove  useful  in  designing  and  using  practical  tools  to 
combat  this  effect  in  the  financial  and  healthcare  contexts. 
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